Why executives may be your weak link in cybersecurity | Viewpoint

In the Pink Panther movies. Inspector Clouseau would have his assistant Cato intentionally launch unexpected karate attacks to make sure the inspector was always ready for surprise encounters.

T.J. Ramsey

That’s what healthcare executives need to be doing, too: letting seasoned professionals test their readiness for cyberattacks. But unfortunately, most healthcare C-suite execs are exempt from rigorous penetration testing and red teaming that can expose vulnerabilities.

Penetration testing generally does not include social engineering – tempting phishing emails, honey traps, etc. (I firmly believe that penetration testing should include social engineering, but that’s a topic for another day.)

Red teaming is a much more aggressive attempt to replicate what bad actors are doing. The attitude of red teamers is: “We’re going to come at you hard, and you don’t have a choice about who we socially engineer. If your CEO is the weak link, too bad. After all, cyber-criminals don’t care whether they hurt an executive’s feelings.”

Sometimes a red team will be asked to attack CISOs and CIOs who feel that they’re too tech-savvy to ever get hacked. When executives are included in a company-wide attack vector, many of them quickly realize that they’re not invincible.

When users, including C-suite executives, are exempt from aggressive social engineering, they can become complacent and one of the weakest links in your defense perimeter. As a bonus, this also applies to the senior members of the IT department, who are often exempted because they already know about the testing.

Phishing is probably an executive’s greatest vulnerability. In today’s business world, we expect timely responses to emails. So an exec might not take the time to carefully check the email. There might be one letter missing from a domain name (among several that are listed correctly). The exec clicks on it and boom, your company just got infected.

It’s also important to note that executive impersonation is on the rise.

If a hacker impersonates an executive and contacts a help desk staffer, the support person may not put up any kind of resistance when they’re asked for, say, a password reset. Healthcare professionals are by disposition people who want to help others. The correct response – even to an executive – is “I can’t help you with that until I validate who you are.”

Executive targeting is on the rise

In a new Ponemon Institute report, 51% of the security professionals surveyed said hackers personally targeted an executive at their organization this year, up from 43% two years ago. About 22% of the executives targeted experienced 7 to 10 cyber-attacks since 2023.

Nearly 70% of the Ponemon respondents believe that it’s “likely” an executive would unknowingly use a compromised password from a personal account inside the company.

Survey respondents also reported that deepfake incidents involving executives increased by 7% in the last two years – and there was an uptick in reported malware on executives’ personal or family devices.

The study revealed that intruders often impersonate an executive’s trusted colleagues in order to authorize payments or disclose confidential information.

Executives are prized ‘whales’

Cyber-criminals know that C-suite executives are the ultimate “whales” who can unlock highly sensitive information. As AI evolves, we’ll be seeing increasingly sophisticated attacks on healthcare executives employing deepfakes, voice cloning and other forms of impersonation.

The best way to prepare for this onslaught is to treat healthcare executives exactly the same as other employees by including them in penetration testing and red team exercises. A rigorous check of executives’ personal devices is also paramount.

If an executive triggers a data breach, it could take years for an organization’s reputation to be restored. But with the aid of security professionals, the “C” in C-suite will stand for confidence, not calamity.

T.J. Ramsey is senior director, threat operations at Fortified Health Security in Brentwood, Tennessee.