Cyber risk protection is a key aspect of reputation management for corporate leaders, high net worth individuals and their organizations. We interviewed Kenneth Citarella, Senior Managing Director, Investigations and Cyber Forensics at Guidepost Solutions to gain insight into the most common (and often surprising) threats they face. Guidepost Solutions LLC is a multinational investigations firm specializing in monitoring, compliance, international investigations, and risk management solutions. Mr. Citarella’s areas of expertise at the firm include computer crime and fraud.
What are some examples of cybercrimes you have seen that could have been prevented with better due diligence and proactive risk assessment?
We were retained to investigate problems at a firm after it had hired a new CFO to oversee the design and implementation of a new computer network. The new CFO hired a personal friend as a consultant on the project. Then they conspired to overbill the firm and monitor the emails of key personnel. Simple due diligence would have disclosed the relationship. Also, it is important to remember that due diligence on a third party vendor who will have access to your network must include their cybersecurity practices. One of the most publicly scrutinized attacks on a retail chain began through its HVAC vendor. Incidents such as these illustrate how important it is to be aware of your network’s vulnerabilities so you can identify and implement preventive practices.
How have the new technologies used by corporations changed due diligence methods — and where do you continue to see vulnerabilities?
Due diligence methods have not changed that much. Internet-based research has been around for years. But the objectives and scope have greatly expanded. For example, if you are acquiring a company, you are not only concerned with their profitability, personnel, facilities and other traditional qualities, but with their digital practices as well. Can your networks be integrated? Are data protection procedures equivalent? Are your BYOD polices the same? Questions like these have to be addressed so that you are at least aware of the risks you are assuming. These questions are as necessary as evaluating internal financial controls and inventory. The issues are similar when evaluating third-party vendors. They handle your data and access your network. Their cyber vulnerabilities become yours.
What are the most common cyber threats facing high net worth individuals and their families?
High net worth individuals and their families face all the same cyber risks as anyone else, but they are also more lucrative targets and often have higher Internet profiles—of which they may not be aware. For example, information about a prominent executive may exist on multiple websites, including those of his employer’s, a conference he attended, and a trade association he is involved with, as well as on public media platforms. In addition, the executive’s children may be active on numerous social media platforms, leaking details of family and parental activities. From these rich sources, a criminal can mine enough details to craft a carefully scripted approach targeting a specific person (which is known as spear phishing). Far more sophisticated than the more general shotgun attempts aimed at the unwary public, these attacks will reference details of the target’s professional or personal life that only a genuine associate would typically know. That is what makes them so hard to resist. Add the fact many high net worth individuals have personal administrators for their homes or offices who answer emails and the risk escalates. Modern communications have effectively created a due diligence obligation for high net worth individuals to know and control their Internet profiles in order to minimize their risks.
If you could give them one piece of preventive advice, what would it be?
Assume you are at risk. Get educated about your vulnerabilities, address them and periodically reassess.
Cyber risk is in the news daily (and many more incidents are not made public). Can you provide examples of the type of incidents that are most damaging to corporate and executive reputations?
Recent headlines provide all the examples we need. Multiple retail chains have been hurt because they cannot protect their customer data. If the public hesitates to shop at a store because of data breach concerns, sales, income and stock price can all fall. Intrusions have destroyed emails and corporate assets, exposed embarrassing internal communications and identified people looking for sexual affairs. Reputation repair for the individual and the organization may take an extended period of time—or may not happen at all. A high-profile corporate or personal life in the 21st century requires adequate cybersecurity at home and at work as well as a protected and controlled Internet profile. Highly qualified professional assistance to secure those objectives is a must.
This is the third in a series of interviews with experts whose work relates to online reputation management.