By Bruce Alexander
Cyber criminals are targeting executives of publicly listed companies with e-mail embedded with malicious code disguised as recruitment letters.The e-mail uses a subject line that entices the recipient to open the e- mail under the guise of recruitment letter. Once the recipient opens the e-mail it launches an attachment containing executable code. This is a relatively easy threat to counter by simply not opening e-mails from unknown senders, installing spam and malware filters. Threats to executives come in all forms. As technology makes greater intrusions into society, the threats from the malicious use of technology will undoubtedly be directed at executives and protected persons.
What concerns me about this particularly threat is the deliberate targeting of executives in this scheme. This threat is only effective when the recipient opens the e-mail. In order to entice the recipient to open the e-mail, the e-mail subject line has to motivate the recipient to open the e-mail. As the article points out, the sender understands how to craft an effective message that moves the recipient to open the e-mail. What facilities the effectiveness of this message is the deliberate targeting of recipients.
That targeting can only be done by some form of information collection on either the firms the executives work for, or the executives themselves. Either way, it’s a focused collection effort akin to what takes place during the hostile attack cycle associated with terrorist attacks. In both cases, the effectiveness of the attack is predicated on gathering information about the potential target and subsequently developing an attack plan. Yet in both cases, a change in behavior could make a significant difference. Both types of threats can be mitigated by awareness, protecting information, and adhering to sound security practices.
For Executive Protection specialists, an awareness of cyber threats is an important aspect of the overall protective mission. While countering cyber threats requires specialized training and is usually outside the realm of Executive Protection. However, the ability to articulate the danger from cyber threats to key executives is paramount. Furthermore, the need to prevent information collection from use in any type of attack, and protect existing information from exploitation, regardless of the nature of the threat, should be part of the Executive Protection mission.
Simply put, if information can be exploited for a cyber attack, it’s very likely that information can be exploited for planning or conducting a physical attack.Executive Protection has a vested interested in ensuring all around security. While Executive Protection might not have the primary responsibility for counter the cyber threat, Executive Protection is a multi-disciplinary function. A combined approach of the Executive Protection specialist working in concert with the Information Technology section will greatly facilitate the ability to mitigate such threats.
Jeff Morelock
Interesting point and article subject. I have been to several executive protection schools, but none have touched on providing cyber-protection.