Executive Assistants are considered to be the employees most vulnerable to technology breaches within an office says Shelagh Donnelly
What is cybersecurity?
Unless you’ve stopped paying attention to the news, you’ll have heard plenty about cybersecurity in recent months. Or, perhaps it may be more accurate to say that you’ve heard plenty about cybersecurity breaches. Breaches, hacks or other cyber incidents have occurred in virtually every sector across the globe. The daunting news? There’s more to come.
What do we mean, though, when we use the term “cybersecurity”? Let’s start with a definition. Cybersecurity is a word used to describe measures (technology, practices and processes) that are taken to protect data, networks, programs and hardware from unauthorised access or attacks. Why should you care? It’s simple. Breaches can occur both at home and in the office.
Why should you care about cybersecurity breaches?
First, the global financial implications are huge. Take ransomware attacks, for example. They represent just one aspect of cybercrime, and they cost global economies an estimated $325M in 2015. While that’s a significant hit, it’s nothing compared to the May 2017 projection that the global impact for this year will be a staggering $5B. Hold on, though; it gets worse. It’s been projected that the global cost of cybercrime as a whole will reach $6T (yes; six trillion dollars) by 2021. Anything with this level of global impact can ultimately impact your workplace and your home.
How so? First, any device can be breached. Next, a hacker has typically been in a company’s network for months before the organisation realises it. Once a hacker has breached a system, it’s that much simpler for them to re-enter it at a later date. To compound things, these criminals’ tactics are constantly evolving – and you can toss away stereotypes and any preconceived notions you may have about hackers. They may be employed by organised crime or by a nation-state, complete with a chain of command. They may work for data brokers, or for activist groups. You don’t know who they are, or where they’re located.
By the time you read this, it will have been more than two and a half years since the US government first declared the rising number of cyber attacks against that country to be a national emergency. That emergency status remains in place today, yet employees in many workplaces are only vaguely aware of the risks and ramifications for their organisations.
Understanding implications for business, and the need for employee training
Whatever your sector, cybercrime has a range of implications that go beyond financial, legal and operational risks that impact shareholder or stakeholder confidence and client retention. Cybercrime can also have regulatory and reputational impacts.
It’s generally recognised that employee behaviour represents a cybersecurity risk to organisations. There are reports that show that more than half of all cybersecurity breaches involve current or former employees. With that being the case, it could be argued that HR, rather than (or at least in conjunction with) IT, should take a lead role in providing training. That way, well-intentioned colleagues can not only recognise risks as they occur; they can also play a role in risk mitigation.
You should also care about cybersecurity because Executive Assistants are considered to be the employees most vulnerable to technology breaches within an office.
Executive Assistants among the most vulnerable employees in terms of tech security breaches
Yes, you. I kid you not. I’ve been paying attention to cybersecurity matters, and have given and attended international presentations on the topic.
This summer, I was among those participating in a cybersecurity roundtable led by a Canadian partner in a multinational professional services firm. The man is responsible for cybersecurity and privacy consulting, and knows his stuff. He leads teams that go in and conduct maturity assessments and penetration testing for clients who are paying attention to this growing area of risk.
At one point in the roundtable, the conversation turned to vulnerabilities in the workplace. The leader told us that, in his experience, Executive Assistants represent the greatest vulnerability in terms of employees. Why? EAs are generally proactive people. They want to be responsive. Somewhat ironically, since the role of an EA is often undervalued, hackers are one group of people who don’t underestimate the role. They recognise that EAs have access to power, which also implies access to significant information that hackers can use or sell.
Don’t waste any energy feeling badly about being a potential target for cybercrime. First, you’re not alone; we were told that members of boards of directors and junior IT staff are also popular targets. Next, there’s no point bemoaning realities; you’re better off expending your energies toward preparing yourself to deal with attempted breaches. Let’s start by examining the role of social engineering in tech security breaches.
Social engineering: attacks via exploitation and pretext
If you think of social engineering as representing new twists on old fashioned fraud, you’re off to a good start. Take phone fraud, for example. While it’s nothing new, one difference is that it’s currently known as vishing. Criminals have also long conducted fraud by mail. These days, that extends to email fraud, which you likely know of as phishing. The same principles (or lack thereof) apply to fraud by text messages, which is known as smishing. In any of these forms of social engineering, the criminal may be exploitative. S/he may also rely on pretext. Either way, the criminal is after either data (names, birthdates, identification numbers, account information and more) or money. How’s it done? Read on.
Exploitation: A sense of urgency is created, or a threat is posed. You may be approached with an appeal to donate to help victims of a flood, fire, earthquake or other type of emergency or health crisis. On the other hand, you may receive a phishing email that presents you with a fraudulent notice of a parking violation, an unpaid (and non-existent) invoice, or an (again false) account expiry. You might receive a phone call from someone purporting to work for CRA, the IRS or the equivalent taxation authority in your country.
Pretext/false sense of security: Here, a criminal relies on bits of readily available information to establish a pretext that lulls a person into a false sense of security, or readiness to give out personal information. Think of someone phoning you and identifying her/himself as the company’s internal auditor, or (again) as someone from the tax department, a government body or recruiting firm.
In person: Social engineering can also take place in person. These days, more than ever in office environments, you want to be aware of those around you. Criminals have taken to dressing as delivery people. They’ll walk into your office with a parcel, a bouquet or a tray of food as if they’re delivering an order. You may even see them with their arms full and thoughtfully hold a door open for them, or let them out by pressing an elevator button on their behalf. In fact, these criminals aren’t delivering anything but trouble. They may steal hardware. Others might quickly pop a memory stick/USB into a computer or laptop, in order to gain access to log-in information and critical data via keylogging.
Don’t accept memory sticks/USBs handed out as promos
This is the tech equivalent of not accepting candy from strangers – memory sticks that are handed out with a smile or set out on display for you to help yourself. They may be harmless, but you don’t want to find out the hard way.
Have you ever attended a conference or event where USBs/memory sticks are distributed? These promotional goodies may soon be on the way out, and you want to think about using only those provided by a reputable supplier. Why? Criminals can load malicious software onto such sticks. When you pop the USB in your hardware, that software will record your keystrokes. Think of all the info you’ve typed over the course of a day, week, month or year. Assess how much of it is sensitive, and consider the extent of harm that could be done if the wrong person had your log-in credentials and more. Criminals can gain access to whatever information you access on your screen. That includes content relating to your role, and to that of your executive. If you’ve been conducting non-work-related searches on the internet at work, those keystrokes can also be recorded.
What does a technology breach look like?
Here are a few examples.
Adware – a form of malware (malicious software); this is software that contains and displays typically unwanted advertising material when you’re browsing the internet; it’s a revenue source for sites that do not charge user fees.
Data leakage – unauthorised data transfer; can be done via technology, or can be as simple as someone watching you enter a password or other data on your computer/other hardware, and retaining information.
Email, social media – messages may contain links or attachments that you should not touch.
Fraudulent/faux notifications – again, these can take the form of parking violations, taxes, account updates, solicitation of donations for people/communities experiencing flood/fire/earthquake evacuations or emergency situations … and more.
Hardware theft – smartphones, iPads, laptops, netbooks, tablets, etc. Is there anyone out there who doesn’t know someone who’s lost or been robbed of a piece of hardware?
Internal cameras or webcams on your hardware – keep those lenses covered when not in use.
Malvertising – malicious online advertising; can appear in ads that display as pop-ups or banners.
Personal devices – data leakage (see above) from your smartphone and other hardware.
Now, think about the various searches you do on your office PC or laptop, or on a smartphone that you may use for both personal and business services. Breaches can occur through your use of any such device.
Passphrases are the next big thing
That’s right. A number of offices have introduced the use of passphrases, which are more challenging to hack than passwords. While we’re on the topic, are you among the many who change their passwords (when prompted by your employer’s system) by simply updating a numerical extension to your existing password? How difficult (or not) do you think we’re making it for criminals when we take this approach? When it comes to account log-ins, it’s also good to separate your personal and business lives. If you use the same password at both home and office, you’re extending potential vulnerabilities from one world to another.
A constructive measure you can take to support your organisation’s success
You want to support your organisation’s capacity to deliver on its strategic plan, don’t you? Think of good cybersecurity practices as additional means by which you demonstrate that support.
It may help to have a sense of the work organisations face in mitigating cybersecurity risks. First, there’s an increasing awareness that both data and operations are susceptible to attacks. The proactive organisation will develop (or already have) a cybersecurity strategy, and will identify its “crown jewels” – the assets that are most in need of protection. The organisation’s enterprise risk management (ERM) system / risk register will reflect regular assessments of such risks. From a governance perspective, an effective board will engage in oversight of the organisation’s cybersecurity strategy. Those directors will want to know that management has established and regularly tests its security systems as well as its controls. Management teams – which may increasingly include a Chief Information Security Officer (CISO) – will also have cyber/cybersecurity incident response plans that outline roles, responsibilities and communications in the case of a breach. There will be tabletop/mock exercises, through which organisations test their capacity to deal with breaches.
There’ll also be cybersecurity education for employees. If that’s in place at your organisation, I hope you take advantage of all such training opportunities – they’ll benefit you at both work and at home. If training isn’t in place, think about how to constructively broach the topic. Next, if you’re part of a professional association or an internal network, check whether cybersecurity is on the radar. If not, there’s no time like the present to add it to the agenda!
Understanding the Terminology
Adware: a form of malware (see below) that displays advertising material when you’re browsing the internet.
Bitcoin: an anonymized, digital currency that is encrypted with a registration number. Bitcoins are not exchanged at banks; payment is made by online transfer of the registration number(s). As of August 2017, one bitcoin is the equivalent of approximately $5,186 CAD. That’s roughly $4,126 USD, the equivalent of 3,214 GBP or 3,509 Euros.
Browser hijacking/hijackware: malicious code that modifies the settings on your browser, without your consent; it may redirect you to a new home page and/or advertising, or install other software.
Cybersecurity: Measures (technology, practices and processes) taken to protect data, networks, programs and hardware from unauthorized access or attack – includes application, information, disaster and network security.
Cryptocurrency: a digital currency that is reliant on encryption/cryptography for its security; not issued by a bank or central authority, the encryption is verified in order to transfer funds. The bitcoin is one example.
Decryption key: digital information; in this context, a password used to restore access to one’s computer/network after payment or ransom (often by bitcoin) in instances of ransomware.
Hacker: someone who uses technology to gain unauthorized access to data.
Keyboard/Keylogger/Keystroke Logging: the use of malicious software to record a person’s keystrokes on their keyboard, enabling the criminal to access a person’s log-in details, codes and other data. It can be introduced, for example, on a USB stick installed in someone’s hardware.
Malvertising: malicious online advertising; can appear in ads that display as pop-ups or banners.
Malware: software/code that is designed with malicious intent; it creates data breaches and uses encryption to make your network/systems unavailable. Samples: adware, bots, bugs, rootlets, spyware, ransomware, Trojan horses, worms. It can impact a single computer, or multiple computers and an organisation’s network.
Ransomware: malicious software (malware) used to infect computers; it restricts access to files and sometimes threatens permanent destruction of data. If infected, you’ll find your network/systems inaccessible; your technology is held ransom. Payment is typically by bitcoin (see above).
Social engineering attacks: attacks that rely on either exploitation or pretext to gather info/money; these may come by email (phishing), text message (smishing), phone call (vishing) or in person.
Spam: unwanted, irrelevant “junk” email, typically sent to a large number of recipients and typically for the purpose of advertising, phishing or otherwise spreading malware.
Spyware: software used to gather and send personal information from a computer, without the user’s knowledge.
Tailgating: an individual following an employee into an area in which s/he does not belong; the tailgater may be dressed as a delivery person, or like many of your colleagues. S/he gains access by walking with or behind you through hallways and doorways as though they have every right to do so.