By: Dr Tristan Jenkinson
The issue of C-Suite executives (i.e. the top level executive managers of the company) requesting security exemptions from their IT teams has been highlighted by a MobileIron survey, reported on by Help Net Security here.
The survey showed that just under 80% of C-Suite executives had requested to bypass security protocols in the last year, with 30% having requested such exemptions four times or more.
The article quotes Brian Foster of MobileIron as saying “These findings are concerning because all of these C-suite exemptions drastically increase the risk of a data breach”.
Based on the information provided this is undoubtedly the case. Some of the reported exemption requests include;
- Requesting network access from unsupported devices (such as non-company issued laptops)
- Access to business data via an unsupported application
- Removal of Multi Factor Authentication (MFA)
The concerns about data breaches are well founded – an unsupported device could have been (or may become) compromised. Providing access to the business network could therefore result in direct malicious access to all the data that the individual has access to. Senior executives are likely to have access to a large amount of confidential company data, not just commercially sensitive financial information but employee or client PII (personally identifiable information), a breach of which could have implications under GDPR (General Data Protection Regulation) or other relevant data privacy laws. Similarly an unsupported application could be malicious in nature, or could be exploited to provide malicious access to any data that the application is given rights to access.
Either of the above two scenarios could also be exploited in a ransomware attack, where company files are encrypted by a malicious actor and a ransom demanded for the files to be made accessible again. You can see some of the biggest ransomware attacks in the Guardian article here.
Removing MFA could result in the individual’s email being compromised. This may provide very sensitive information from within an email to a third party, but could be further exploited to gain access to additional data through misuse of the account.
There are, however, risks beyond data breaches. One of which is the potential for fraud.
Continuing with the risks of removing MFA, if an executive’s email account is compromised, this creates the risk of Business Email Compromise (BEC) or other similar frauds. BEC frauds occur when a fraudster poses as an executive (often using a compromised email account) to request payments or transfers to be made swiftly, without the usual checks. The amounts lost under BEC (also known as CEO Fraud) reportedly amounted to half of all cybercrime losses in 2019 (see here – https://www.zdnet.com/article/fbi-bec-scams-accounted-for-half-of-the-cyber-crime-losses-in-2019/). You can read about an example of BEC fraud case here.
Files contained in potential data leaks such as those discussed above (or contained in a compromised email account) could also be used to commit a wide range of other frauds, such as using information on mergers and acquisitions to profit from insider trading (such as here https://www.welivesecurity.com/2017/05/11/hackers-stole-information-law-firms-made-millions-insider-trading-fined-9-million/), or invoice hijacking where a fraudster can use legitimate documents and discussions (which have been compromised) to generate an invoice with their own payment details which appears legitimate. You can read more about invoice fraud here and a further comment on the Worldprotein case here.
In addition to these external risks, there are also internal risks.
According to the Association of Certified Fraud Examiners (ACFE) Report to the Nations 2020 (Available here);
“Owners/Executives committed only 20% of occupational frauds, but they caused the larges losses”.
The ACFE report that the average loss for fraud committed by owner/executive is $600,000, compared to $150,000 for managers and $60,000 for employee-committed fraud.
While requested exceptions to security protocols may be entirely innocuous they could also be a red flag – for example, access for a non-company device to the company network could be misused to provide information to third parties to perform insider trading. Or such access could be used to circumvent monitoring software to exfiltrate company data and intellectual property – this may be a concern retrospectively if the executive later leaves to join a competitor. If the company is in financial peril this could also indicate stealing assets from the company before it goes under.
I have worked on a number of investigations focussed on former executives who were alleged to have stolen intellectual property. I have also worked on an investigation into a C-Suite level employee who had the IT team delete emails from the company’s email journaling system. Unbeknownst to that employee, while the emails were deleted, there was a full log of the searches performed to find them, as well as the action of deletion itself, including who made it and who it was authorised by. Helpfully, the member of IT involved also fully logged the requests which were made.
C-Suite executives are understood to be the members of staff most likely to request exemptions from security protocols. Granting such exceptions undoubtedly results in risk. Much of that risk is associated with potential data breaches, though there are also risks in relation to fraud from external malicious actors, as well as from internal sources.
IT teams are likely to face what continues to be a difficult battle – keeping the owners and senior executives happy (for example when they want to use their new personal laptop for work) and balancing that with the associated risks of data breach and fraud when granting such security exemptions.