My name is Juan and I work as a CSO in a Spanish infrastructure company with a strong international presence. My old friend Jaime, who is responsible for a geographic business unit based in our head office in São Paulo, has just contacted me and made me aware of the following situation. He had been approached by some people allegedly wanting to talk business, though he believed they worked for a rival company. In fact, they were interested in discussing information on the proposal our organization was presenting in a bid to tender a federal interurban highway. However, at the end of the call, they gave him greetings for a Brazilian girl Jaime had been going out with for a while and commented how pretty she looked in pictures. What these people suggested about the pictures came at the worst possible time for him, as he was currently undergoing the process of separation from his wife. As a CSO, my opinion is clear: one of our rival companies in Brazil is blackmailing Jaime with personal data, trying to force him to disclose information on the bids our organization is preparing in this market.
The above example illustrates how hostile actors can exploit potential vulnerabilities and take advantage of open access information on executives and other employees in an organization.
As a general rule, the security level of an organization is determined by the security level of the most exposed or vulnerable component thereof.
In most companies, including those adopting matrix or flat structures, information is organized by departments and hierarchy levels and restricted to other positions in the chart. Higher positions can usually access larger amounts of information, even when generated by other departments and levels. Executives need therefore to understand the general structure and operation of the company in order to align the management of departments with the overall organization strategy. That is why executive employees, which are engaged in the decision-making process, are considered to be critical staff in the organization.
Critical staff also include those who have deep knowledge and access to sensitive data—either of financial, commercial or technical nature—in the organization, due to the high specificity of the tasks they perform (as is the case, for instance, for senior management administrative staff, employees entrusted with know-how and patents, etc.) or the high autonomy of the post they are assigned to (as project manager expatriates, country/delegation office managers, etc.).
Depending on the company’s organizational chart, structure, operation, internal codes, corporate culture and other factors, companies should count with individualized maps of critical staff. These personnel need to be especially instructed to keep their level of digital exposure to a minimum, as many attacks impacting organizations materialize through digital vulnerabilities. It is highly recommended for any organization to develop a specific protection scheme for these employees that includes information on how to prevent and neutralize hostile external actions intended to obtain strategic information that could be extremely costly for the company.
These actions are usually sponsored by direct or structural competitors and result in permanent and latent threats against critical staff. It is essential to warn them against these risks as most of the times the executives being approached are not aware of the attack nor their role as data owners. These employees cannot be accused of acting in bad faith, disclosing information nor providing access to sensitive data. Employees experiencing these situations are not disloyal to the employer—otherwise they would be considered to be insider threats—but lack awareness to avoid digital exposure of personal and business information that could be used by attackers to approach them.
Hostile actions against critical staff are occasionally designed on an ad-hoc basis to obtain valuable and timely information, for instance when rival companies compete against each other in a competition, tender or project. All rivals need to be considered, even when cooperative relationships could exist in other scenarios or markets. It should be borne in mind that coopetitors are ad-hoc rivals that could turn their synergy into an opportunity to approach an organization’s critical staff. Aggressors can even have the support and public capabilities of the state sponsoring the entity behind the hostile action.
The above is especially important to organizations that have already decided to internationalize their activities, as competition in international markets is particularly intense, and companies resort to aggressive methods to boost competitiveness.
Though attacks can be directly or indirectly sponsored by an organization’s competitors, when analyzing the causes of the attack economic motivation should not be disregarded, given the fact that companies’ strategic and sensitive information is always valuable and easy to sell.
As a consequence of digitalization, sponsored actions became more popular, cost-effective and ready to use through a wide range of virtual (digital) attack vectors to produce real and material results, such as information theft or extraction.
Even when cyber security has traditionally focused on protecting digital assets (computer systems, networks, devices) and preventing or mitigating ransomware malware or leakages of user-specific information (passwords, e-mails, administrator passwords), high digital exposure of company staff—especially those considered to be critical to the organization—in social networks, messaging applications or communication media also needs to be addressed.
When securing digital transformation, the human factor needs to be taken into account as it is one of the core assets in the organization. This applies above all to the critical staff responsible for decision-making or having access to strategic and sensitive information. In this scenario, it is also important to pay attention to the corporate reputation in social networks and communication media and the consequent negative impact it may have on the business.
By using cyber intelligence tactics, techniques and procedures, companies can implement an advanced defense system against hostile actions impacting critical staff. In some cases, those methods allow the replication of preparative works carried out by potential aggressors. Attackers can employ a combination of sophisticated and basic digital tools, based on open sources or restricted databases, to approach critical employees. The attack vector can either be digital or direct, the latter with real or fictitious actors inducing the approach to the selected target.
Cyber intelligence specialists put themselves in the aggressor’s shoes to identify the most likely scenarios for an attack, understand the motivations, find the sponsoring agents and learn the information used to select the executive to be approached.
Organizations can therefore implement efficient methods to defend their staff—especially those essential for the business—based on three mutually reinforcing lines of action. First, a list or map of the critical staff to be protected needs to be drafted. Second, awareness programs and actions intended for these employees are to be developed. Third, companies can also resort to cyber intelligence tools and experts as a proactive measure for advanced detection and identification of potential risks and threats.
My name is Antonio and I work as Business Continuity Manager at a Spanish engineering and consultancy firm with medium turnover levels, certain international visibility and proven experience in LATAM and MENA countries, apart from Spain. I will refer here a bad experience I recently had in one of the projects developed in the MENA region. Fernando, the project manager in this area, informed us about a generous job offer he had from an international headhunting firm. After the third interview, Fernando got suspicious because the questions addressed a very detailed technical level and all of them referred to the specific project he was responsible for in our company, which is uncommon in executive recruitment processes. Headhunters insisted that it was vital to answer those questions to remain in the selection process. Our company initiated then a research, outsourcing part of the inquiry. It turned out that those headhunters were using fake identities. Though it could not be fully proven, it was also found that there were many connections linking the headhunters with an engineering company based in Asia which happened to be our direct competitor in the MENA market. Fernando was almost tricked into disclosing critical information and know-how that would probably fall into the hands of our competitors.
*PS: All persons and companies mentioned in the examples at the beginning and end of this article are fictitious. However, the situations referred to and described in the examples are real.