The C-suite conundrum: are senior executives the Achilles' heel of cybersecurity?

In today's digital landscape, an organisation's C-suite and senior executives hold the most valuable corporate data and sign-off authorities, representing the highest potential risk over email. Whether it's inbound spear phishing attacks or outbound mistakes resulting in a damaging data breach, the C-suite are vulnerable.

But what do cybercriminals want from these individuals, are breaches always a result of external actors, and what can organisations do to protect their top decision-makers?

Decoding cybercriminals' fascination with the C-suite

Sometimes referred to as a whaling attack, threat actors will often dedicate more time and resources to a phishing email against a senior executive or C-level, using a less generic approach than they would against the rest of the workforce.

As a form of spear phishing, cybercriminals usually carry out heavy reconnaissance on the individual and the organisation to leverage convincing impersonation and social engineering tactics. Because the attacks often lack an attachment or link-based payload, it is difficult for technologies that rely on signature-based detection to identify them.

They may pretend to be another stakeholder within the organisation, a trusted business associate or someone within their supply chain, using minor, hard-to-notice typographical errors in an email address, or a compromised legitimate account. If a compromised account is used to send the phishing email, it can be nearly impossible for an individual to identify the email as malicious, but the attacks often bypass traditional technologies that use reputation-based detection methods.

Cybercriminals aim to trick an individual into revealing valuable corporate information, transferring funds out of the organisation, or heavily disrupting operations. Their considerable influence and authority, makes the C-suite an attractive target.

Reasons threat actors target the C-suite

In short, C-level executives have insights, access and control over privileged company data, systems, and finances. Such information and access are highly coveted by cybercriminals, due to their potential for exploitation and illicit gain.

Secondly, senior executives are often busy, with a significant workload and tight deadlines, meaning they have less time to thoroughly review emails and determine their legitimacy. Egress’ 2023 Data Loss Prevention Report revealed that 66 percent of employees use a mobile phone to access their email outside of work, and this percentage is likely higher for time-pressed C-suites on the go. Mobile devices make spear-phishing attacks more difficult to identify, as usually only the display name is shown, so it is harder to spot an incorrect address.

Additionally, those in C-suite roles may find themselves in the spotlight, leading lives that are fairly public. Whether this is via an active social media account or speeches at conferences and events, cybercriminals have a wealth of open-source information (OSINT) readily available to them. This can then be used to craft convincing spear phishing or impersonation attacks.

How the C-suite has been targeted over a 90-day period

Egress data reveals that, from the C-suite, Chief Executive Officers (CEOs) were the number one target for phishing emails, receiving 23 percent of attacks, closely followed by Chief People Officers (CPOs), who received 21 percent. Down from first place since Egress did a similar investigation in 2023, Chief Finance Officers (CFOs) ranked third with 19 percent.

Having access to systems, data, and funds, it comes as no surprise that CEOs and CFOs have placed in the top three targeted C-levels. Similarly, senior HR executives are privy to sensitive personal data including recruitment, employee relations, and payroll, making them high-value targets for threat actors.

Another interesting note is that C-suite members whose roles related to information security, compliance, and technology tend to rank very low -- likely because cybercriminals still anticipate a lower success rate due to their elevated cyber awareness.

Risk isn't just an inbound issue

The human element accounts for 74 percent of all breaches, so, when thinking about an organisation's riskiest users, it is negligent to consider that employees are only vulnerable to external actors. In fact, in 2023, 91 percent of organisations experienced security incidents caused by outbound data loss within Microsoft 365, including misdirected emails and attachments, and data exfiltration.

These outbound events could include employees replying to a phishing email, clicking the wrong recipient in the Outlook autocomplete drop-down, accidentally sending the wrong attachment, or sending work to a personal device to look at after hours.

As innocent as these actions may be if they are carried out by a senior executive, the consequences could be devastating as they often hold the most sensitive company data, and if that data is sent to an unauthorised recipient it could amount to a full-scale data breach. Therefore, organisations must consider how to protect their senior executives, not just against external actors, but also against outbound incidents.

How can organisations protect their senior executives?

The most common way an organisation can help their C-suite is by providing them with regular security and awareness coaching. It is commonly known that, in the workplace, attitude comes from the top down, so not only is it important for the C-suite to show an enthusiasm for security awareness, but as the highest-value targets, they are the ones that need to be the most vigilant.

As an attack sent to a C-suite is likely to be much more targeted than those sent to the masses, organisations also need to ensure that they are tailoring coaching to each department or individual, based on the jobs they do and the attacks they receive.

In response to frustrations with static DLP being inadequate in dealing with the human element of outbound mistakes, three-quarters (74 percent) of Cybersecurity leaders have considered turning off Outlook autocomplete to prevent misdirected email and attachments.

However, only 20 percent have disabled the functionality -- the likelihood being that removing autocomplete would cause immense friction to workflow and manually typing in an email address could give opportunity to an equal number of mistakes. This is even more true for busy C-suite roles, who don't have time to write out a long address every time they want to communicate over email.

The best approach to inbound and outbound threats

Given the responsibilities of the C-suite and senior executives, email security must not become an additional burden. Organisations must provide them with the necessary tools to mitigate the risk of inadvertently enabling a detrimental data breach. However, sophisticated attacks that target the C-suite use tactics that easily evade traditional security technologies and static DLP isn't dynamic enough to catch the full spectrum of human error-related mistakes.

This is why many organizations are opting to layer their native security defenses in Microsoft 365 with an integrated cloud email security (ICES) solution that can neutralize advanced threats, in addition to preventing data exfiltration and misdirected emails and attachments.

Image credit: monkeybusiness/depositphotos.com

Jack Chapman is SVP of threat intelligence at Egress, a KnowBe4 company