Skip Navigation
BlackBerry Blog

C-Level Executives Face High-Level of Risk for Business Email Compromise

NEWS / 07.24.19 / Scott Scheferman

When it comes to enterprise security, the people at the top are most vulnerable to cyberthreats, according to Verizon’s recently released 2019 Data Breach Investigations Report. The report found that C-level executives are being increasingly and proactively targeted by social breaches for financial gain. In fact, Verizon found that senior executives are 12 times more likely to be the target of social-engineered attacks and nine times more likely to be the target of social breaches.

Why C-level Execs Have a Big Target on Their Backs

With their unchallenged approval authority and privileged access to critical systems, C-level executives are ripe for cyberattacks. Additionally, there are a number of logistical reasons that make them such easy targets. For one, they’re often on the move, and as a result, make quick decisions about important business actions via a small interface and a homogenous workflow on a mobile device. This makes them ideal “muscle memory” targets. Executives are also public figures in most cases, with their personal information and email addresses readily available via open source intelligence (OSINT), which correlates into a higher level of risk for social breaches.

Verizon’s report found that C-level executives are particularly susceptible to business email compromises (BECs). One of the main reasons for the uptick in this sort of attack is that the threat landscape now largely revolves around the misuse of stolen credentials, and executives are often the last people to fully implement two-factor authentication (2FA) to safeguard themselves. To put the sheer gravity of this situation into perspective, there are now in fact more stolen records than there are human beings on Earth, meaning malicious actors possess a massive pool of credentials to help them orchestrate an attack. And because executives’ lives and movements are easily discerned via OSINT, it’s easy for cybercriminals to craft a social engineering attack or spear phishing email with timely pretext that makes them look all the more credible.

Executives also tend to suffer from a mindset that cybersecurity does not apply to them. They tend to forgo the personal upkeep of security best practices by relying too heavily on the dangerous assumption that their IT staff can take care of and catch any suspicious activity. There’s also a certain degree of denial among the C-level, to the effect that they have nothing a cybercriminal could possibly want that they don’t already have. Time and again, these end up being famous last words, especially considering the fact that executives make more money and tend to have better credit—prime motivators for extortion or identity theft amongst cybercriminals. Thus, the C-level tends to have more to lose in their personal and professional lives than most.

The Rise of Business Email Compromises

There are numerous motives that have made business email compromise a go-to attack method for cybercriminals. For starters, it’s a relatively easy way to financially extort an executive. Whether it’s the straightforward theft of trade secrets or business decisions, a cybercriminal can easily game the stock market from the information gathered through BECs or profit by gleaning information on a product line’s production, price, roadmap or inventory.

Other times, a BEC is initiated to subsequently reset passwords via password recovery options in enterprise applications or personal financial applications. That’s because hacking an email account grants attackers access to many other applications for which that email account was used to register. In finance attacks, BEC is often leveraged to send emails to subordinates with explicit requests or instructions to conduct an action that facilitates a transaction resulting in fraud.

Threat actors are also quickly learning that the actual compromise of systems is not needed in order to extort an executive into paying a ransom. So, why would they add the complexity and technical dependencies on something like ransomware that encrypts hard-drives if they can simply compose an email “close enough to home” to gain leverage over an executive? Financially motivated attackers know to take the shortest path with the highest chance for success and the least amount of risk. More often than not, that equates to a simple, well-composed email with a clear-cut demand.

A-level Security for the C-level

Fear not, C-level—there are many steps one can take to safeguard against the rise of business email compromise and other social-engineered attacks. For starters, let’s revisit the process of 2FA, which can provide simple, high-security user authentication to safeguard all of your critical systems from email and beyond. BlackBerry 2FA provides enterprises with two-factor authentication to every type of user (C-level included) inside and outside of an organization. It supports unmanaged devices and those managed by a third party as well, so it can easily map onto almost any device one might use.

Once a user registers a mobile device, they can access critical systems by entering their usual password and clicking “OK” on a registered device to authenticate. This eliminates the frustration of the complex authentication process, removes the need to remember PINs or manually transcribe code and offers a superior, one-click user experience that requires no IT support to set up.

Beyond 2FA, BlackBerry also offers BBM Enterprise, a secure, enterprise-grade messaging platform with end-to-end security and privacy. This tool is especially useful for users on the go like C-level executives because it allows them to do everything they want and need with the added bonus of high-level encryption and protection. Best of all, BBM Enterprise offers support across multiple platforms with powerful controls and IT policy management from a single, on-premise or cloud-based console.

Lastly, for an added layer of security around email, enterprises should consider the secure BlackBerry Work app, which combines enterprise email, calendar, document access and more into a secure mobile workforce. BlackBerry Work facilitates a seamless mobile business experience that doesn’t sacrifice security. Thanks to next-generation containerization, BlackBerry Work protects all business data on corporate-owned or BYOD devices. And with powerful business-class email, executives can protect against BECs thanks to an advanced warning system that singles out messages from unauthorized sender domains.

Education and Awareness Matters…but Technology Is the Answer

While awareness and education of end users is still important, it is not enough to prevent modern threats from causing damage. Users, particularly business executives, will eventually click on a malicious link or file because they’re only human. Nonetheless, it’s imperative that executives understand the risks associated with their standing and that the threat landscape around them is increasing in both volume and sophistication. Armed with this perspective, executives can formulate a winning cybersecurity strategy that protects both themselves and their company. 

A key component of that strategy is to leverage the current AI revolution by investing in predictive threat protection. CylancePROTECT helps enterprises get in front of malicious cyberattacks thanks to artificial intelligence that works to prevent attacks before they can damage an executive’s devices or reputation. The predictive, continuous threat protection of CylancePROTECT offers enterprises a massive advantage against attacks both current and future, even if a company or its executives aren’t up to date on the latest security best practices or updates. To learn more about predictive enterprise security, click here.

Be Proactive but Plan and Rehearse for All Contingencies

BlackBerry Cylance’s renown consulting practice includes services designed to provide holistic protection for executives. Having performed thousands of Compromise Assessments and Incident Response & Containment engagements over the last six years, this practice offers a menu of both proactive and reactive services, including:

  • Table-top threat and crisis management engagements
  • SOC (security operations center) playbook and automation services
  • Insider-threat protection programs
  • BEC-focused red-teaming
  • IR training
  • Related program development

These services are able to meet the needs of an organization of any size and are designed to best position your organization to proactively prevent threats like BEC that target executives while also providing the reassurance of rapid incident containment services ready to go at a moment’s notice. A list of some of these services can be found here. Bottom line: your A-plan should always be one of proactive security, but having a Plan B on the back burner will only further protect you.

Scott Scheferman

About Scott Scheferman

Senior Director Professional Services Consultant