Big Brother in the Boardroom: How Cyber Threat Actors Spy on Senior Executives
President Trump had been repeatedly warned by aides before: The cell phone he was using was not secure. But Trump bristled at the inconvenience of complying with White House security protocols. Now security experts are having a major, and awkward, “I told you so” moment. The New York Times recently reported that when President Trump uses a personal iPhone to make calls, Ivanka or Jared may not be the only people on the other line. American intelligence agencies say that foreign adversaries like Russia and China are often eavesdropping on his conversations — and then use gained insights to influence U.S. policy.
Unfortunately, Trump is not alone. All cell phones have security vulnerabilities. That means that all sorts of threat actors, from state-sponsored spies to cyber criminals, can potentially be using your own phone against you.
So you might be thinking: I’m not the President of United States; why would anyone want to snoop on me? Simply put: You have access and influence. As a senior executive, you generally have more access to valuable information – whether it be customer data, intellectual property, or market-moving information – than anyone else in your organization. You also have the authority to influence others. Hackers know that if they can impersonate you (say, by hijacking your email account), they have a greater chance of obtaining even more information.
As a senior executive, you’re an enticing target for cyber threat actors. Hackers know that officials at the top of their company org chart have the most access and influence within their enterprise. By spying on you, cyber threat actors get the most bang for their buck.
How do hackers get their eyes and ears on you? Here are a couple of common, but often overlooked, ways that threat actors can target you.
1. Smartphones
Using unsecured phones compromised Trump’s confidential conversations; if you’re not careful, these devices can land you in hot water as well. The bad news is that some aspects of cell phone security are out of your hands. While there may be many options to help you secure your own networks and devices (e.g. firewalls, antivirus software, etc.), your cell phone is mostly controlled by others — namely the device’s manufacturer and your cellular service provider. If these companies neglect to patch security vulnerabilities, you’re largely out of luck.
Fortunately, you have much greater control of other aspects of cell phone security. For example, you can take steps to secure your device in case it winds up in the wrong hands. One way to do this is by enabling encryption on your phone, which makes your data unreadable to unauthorized users. Another is setting up remote wipe on your device. This feature allows you to delete all data on the device, in the event it gets lost or stolen. This could really come in handy, given that nearly 30% of board members lose or misplace their phone, tablet or computer in a given year. And, of course, don’t forget to turn on your device’s lock screen; just be sure to pick a strong passcode.
2. Computer Cameras
If you use a laptop, chances are it comes with a webcam. That little camera at the top of your device allows you to video conference with colleagues, friends, or family. But your boss or best buddy might not not be the only person looking at you on the other line. Hackers are notorious for targeting webcams, and peeping in on your video feed. You could be starring in your own real-life version of the Truman Show — and you would never even know it.
Fortunately, there’s a simple solution to this security threat: When you’re not using your webcam, keep it covered. There’s a no budget option — putting a post it note or piece of tape over the camera (It’s not particularly aesthetically pleasing, but if it’s good enough for James Comey and Mark Zuckerberg it will also work fine for you). Alternatively, you can go the low budget option and shell out a couple of bucks for a professionally made version.
3. IoT Devices
You’ve probably purchased a number of smart devices for your home, whether it’s a smart speaker, robot vacuum, or coffee machine. Now, more and more of these internet-connected gadgets are migrating into your office. This ever-expanding universe of linked devices is known as the “Internet of Things” (IoT).
Recently, IoT has become a big buzzword, and for good reason: these smart devices pose a significant security challenge for your organization. Many of these gadgets come equipped with all sorts of sensors and speakers, which can be used to snoop on you. The voice of Alexa may sound innocent, but cyber threat actors may be manipulating her for malicious purposes — such as surreptitiously recording your sensitive conference calls.
When assessing the security implications of your smart devices, it’s easy to become overly paranoid (Why is that paper shredder looking at me funny!?). Instead, take a deep breath and start inventorying which machines are connected to the internet. You may not be aware of all the home or office devices that are linked to your network.
4. Human Espionage
Even in today’s high-tech world, old-fashioned human espionage is alive and well. You don’t need to be a high-tech hacker to gather valuable information from senior executives. Sometimes simply eavesdropping or shoulder surfing (sneaking a peek at some else’s device) is enough to get the job done. You would be amazed at how much threat actors can learn just by having their eyes and ears open in public spaces. Everyone from former CIA Directors to top bank executives have been known to inadvertently spill secrets when they thought nobody was watching.
The key to countering human espionage is to always be conscious of your surroundings. Seemingly private spaces may be more exposed than you think. Additionally, be careful of how much information you divulge to others. Remember: Loose lips not only sink ships; they also can kill careers.
N2K Is Here to Help
Interested in learning more about keeping yourself safe from cyber espionage? Check out our Executive Awareness Training Program. Covering everything from the cyber risks of business travel to adversarial targeting tactics, this course will give you all the information you need to protect yourself from hackers.