Employees pose certain risks that organizations must be aware of, especially when it comes to using mobile devices. The matter worsens when employees use their own devices, which is regarded as a BYOD (“Bring Your Own Device”) policy.
All organizations should have a strategy in place to mitigate workforce risk when it comes to mobile devices. However, the mobile risk attached to employees isn’t applied equally. While there’s some overlap between executive and non-executive roles, the two types of roles have unique risk elements to be aware of.
In this article, we’ll guide you through the unique risks that executive and non-executive personnel pose, as well as where there are overlapping risks that can be addressed via a comprehensive strategy.
An account compromise against an executive can be devastating because it potentially gives the hacker access to the company’s most valuable assets and data.
Unsecured executive mobile devices will likely represent a treasure trove of intellectual property, financial records, contact details for other high-value targets, and sensitive communications.
For instance, a compromised executive device could expose strategic plans, such as merger and acquisition details, which competitors or malicious actors could exploit for financial gain or market sabotage. The executive’s device might also have sensitive communications that include negotiations with vendors or clients that, if leaked, could damage relationships or lead to lawsuits.
An executive can be impersonated, compromised, or extorted. Each scenario takes advantage of the executive’s authority and role.
For example, an attacker who compromises an executive’s email, social media, or communications app can then impersonate the executive (including deepfakes) and send fraudulent demands to a junior. These demands can be to process a fraudulent payment or send sensitive information to the “executive.”
If the executive’s device is directly compromised, an attacker can also extort money and force him or her to issue orders to pay off the attackers. This can be the case if the attacker ends up with company data due to the executive’s negligence or if the attacker has found information or personal data about the executive that can lead to blackmail or extortion.
Remote work options and BYOD policies mean that everyone is more connected to the office than ever. This is even more true of executives. An executive is “always on” and usually has multiple devices connected to business networks and the rest of the workforce.
More devices result in more risk, especially as execs are likely to travel more often and use public networks while doing so. In this case, they open their mobile devices to MitM attacks that leverage public networks or insecure connections in order to access communications passing through the devices or access device data itself.
Executives often have a high online visibility. They’re usually the “face” of an organization and lead public events or speak at corporate-sponsored gatherings. All this exposure makes it relatively easy for threat actors to know who the high-value targets are for that organization.
Which also means that an attacker’s job is made that much easier by getting a jumping off point. By knowing the highest-value target of an organization, they can dial in their research to ensure any spearphishing or other highly targeted attack is that much more successful.
A non-executive workforce might be less knowledgeable of potential risks and may not know the technical elements behind attacks. This lack of awareness can lead to potentially riskier behavior such as using unencrypted public Wi-Fi networks, storing sensitive files on unencrypted devices, or keeping important company documents on their devices for too long.
These employees may also have a false sense of security, believing they won’t be attacked or targeted. However, a lot of widespread or automated attacks target individuals randomly, meaning they can get caught in the scatter.
A lack of awareness of potential risks means non-executive employees exhibit less skepticism when faced with a potential attack. This lack of alertness means non-exec employees might be more susceptible to phishing attacks.
Because non-executive employees are lower on the org board, hackers leverage this in impersonation attacks. The hacker, impersonating an executive, might threaten the junior employee who is more likely to comply in the face of “authority.” This is largely why BEC attacks have become so successful and a major reason why cyber insurance rates have increased.
Risky behavior by non-exec employees is often negligent rather than nefarious.
Non-executives have less to lose if the organization is compromised and so might take a more blasé attitude toward potentially risky activities. They might believe that the risk falls on the company and not on them personally, thus encouraging them to engage in less cautious behavior when using company-owned devices.
Non-executive employees might also lack understanding of enterprise-level threats or fail to grasp the complexity of cyberattacks. They might likewise not fully comprehend the potential organizational damage from a severe data breach. As a result, employees might download apps from a third-party website, visit risky sites, or act with much less caution using a company phone compared to using their own.
Threat actors sometimes specifically seek out lower-level employees for insider attacks. One common place where this occurs is in SIM swaps, where a telecom insider diverts someone’s telephone number to a hacker’s phone. The diverted number allows the hacker to intercept 2FA messages sent to the device, which is like handing over the keys to the castle. With 2FA control, hackers can change passwords and either falsely or verify identity.
For example, a SIM swap technique was used to hack into Twitter founder Jack Dorsey’s account in 2019, and it has repeatedly been used to steal from high-value targets.
Malicious actors can also prey on employees’ status and coerce or bribe them into giving up information or access by promising profits or a hefty check in return. In 2024, a telecommunications manager from New Jersey admitted accepting bribes to swap SIMs on mobile devices. Disgruntled employees can easily be taken advantage of; they may even actively seek out ways to divulge company data.
Some threats apply to all employee levels, whether executive or non-executive.
All employees, regardless of experience, are susceptible to malware on their devices.
Malware can be introduced through phishing emails, malicious websites, or infected apps. Mobile malware can steal sensitive data, track user activity, and even control the device.
Employees might inadvertently download malicious apps from unofficial app stores or click on links in phishing emails that are infected with malware.
A network compromise occurs when an unauthorized party gains access to a network, allowing them to intercept, modify, or steal data. Network compromises occur most often when employees connect to insecure networks, as when they’re traveling or working at a café.
When employees connect to public WiFi without a VPN, their data is vulnerable to interception. Additionally, home networks with weak security can also be compromised.
Hackers also sometimes create malicious hotspots that mimic legitimate WiFi networks so they can intercept web traffic and communications.
Zero-click exploits are cyberattacks that require no user interaction to execute. These attacks take advantage of vulnerabilities in software or operating systems to compromise a device without the user clicking a link or opening an attachment.
Zero-click exploits often target vulnerabilities in messaging apps. Meta recently confirmed a vulnerability in WhatsApp that led to multiple successful zero-day attacks. Bad actors can send specially crafted messages or files that trigger the breach, allowing them to gain control of the device.
Zero-click exploits are typically used by highly sophisticated actors who are often state-sponsored. One of the most widely known zero-click threats for mobile devices is the Pegasus spyware which targets journalists and politicians.
The high-profile Jeff Bezos iPhone hacking incident might’ve occurred as a result of a zero-click attack.
Keeping devices and apps updated is crucial for mitigating these risks, but it’s no guarantee that the device will be secure. Ensuring visibility into the device and its assets is crucial.
Mobile risks aren’t just a personal issue. They pose a serious threat to organizations.
Businesses must be aware of what kind of damage can occur when an employee device is compromised, and what the various risks are. A simple high-level strategy to mitigate these risks would be:
Traditional mobile device management solutions fall short when it comes to protecting modern devices. The best option is to partner with a team that offers a modern mobile MDR solution that’s easy to implement.
To learn more about SolCyber’s mobile MDR offering, reach out to us for a chat.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.