Q

Are senior level executives a target for social engineering attacks?

In this SearchSecurity.com Q&A, security management expert Mike Rothman discusses why senior level executives are a target for social engineering attacks, and unveils how to increase security awareness among them.

I've read that c-level executives are increasingly being targeted by social engineering attacks. What kinds of attacks are most prevalent right now, and what advice do you have for teaching security awareness to executives when they're often hard to reach?
One of the emerging attack trends is for high-level executives at larger companies to be individually targeted by phishing and other email-oriented attacks. According to MessageLabs, an executive receives a personalized message with his or her name and title in the correspondence, along with a malware-laden attachment that will turn the victim's machine into a zombie.

The reasons for targeting senior executives are obvious, but let's go over them. First, it's where the money is. The senior folks tend to have access to sensitive corporate data and more personal assets for the bad guys to target. Additionally, many of these executives are not as security aware as they need to be.

Which brings us to the second part of the question: how do we get senior executives to take security as seriously as they need to? I recommend a two-pronged approach. First, work with the human resources group to set up a broader security awareness training curriculum for senior executives. Actually, all employees should receive training, but given the fact that senior execs are being specifically targeted, the process should start with them.

Second, I'd work through the executive back channels to make the case that this kind of training is important. In other words, if you don't have access to the senior management team, go to your boss or your boss' boss and get access. A hallmark of my Pragmatic CSO approach to security is to develop relationships with the senior team and to be considered a peer because security is an important business issue. This is a great opportunity to test your mettle and get some face time with the powers that be.

For more information:

  • In this SearchSecurity.com Q&A, Ed Skoudis reviews the actions of a mail server when it is presented with a fake email address.
  • In this expert Q&A, security management pro Mike Rothman discusses the short-term and long-term benefits of employee security awareness training.
  • This was first published in September 2007

    Dig deeper on Security Awareness Training and Internal Threats-Information

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    This Content Component encountered an error

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close