Changing leaders? You may be a target of hackers

Criminals often time their attacks to take advantage of changes in the organisation, typically targeting the most susceptible (Photo: iStock)
Criminals often time their attacks to take advantage of changes in the organisation, typically targeting the most susceptible (Photo: iStock)


Research suggests that when companies have turnover at the top, they are more vulnerable to cyberattacks

A change in leadership in an organization is often a time of uncertainty, confusion and insecurity.

It’s also the perfect time for cybercriminals to strike.

My colleagues and I have been investigating the cyber vulnerability of companies for many years, and our interviews with C-suite executives reveal that the chances of someone falling victim to a phishing email are higher during times of leadership change. And hackers know this: Criminals often time their attacks to take advantage of such changes, typically targeting the most susceptible.

In our research, we found at least one case where criminals even started attending local chapter meetings of industry associations under false names and fake identities. After gaining knowledge of leadership movements, the perpetrators had enough information about the targeted company, the organizational structure, and the departure and arrival of leaders to successfully target those most affected by the change.

But the truth is that such elaborate sleuthing is rarely necessary. Companies announce leadership changes, often with great fanfare, so cybercriminals need not work very hard to know when companies are most vulnerable. Perpetrators then use such a situation to their advantage.

Uncertain times

Why does a change in leadership make a company more vulnerable? Chalk it up to three main reasons: increased uncertainty, unsettled workplace practices and a desire to please the new boss (and sometimes the old one).

Start with uncertainty. Past research has shown that uncertainty can affect all sorts of behaviors, including how individuals make decisions and how they do their jobs. A leadership change creates just such uncertainty for employees. It is a confusing time, and employees may not trust their instincts when everything around them isn’t clear.

For example, in one case we studied, a network administrator received an email that purported to be from a chief information officer soon after the chief information security officer had left the organization. The email requested that the physical location of a particular server be changed. While the network administrator knew that following the order could compromise the network, the uncertainty from the leadership change had diminished his ability to think rationally. He assumed that the new chief information security officer knew what had been requested.

Of course, the email didn’t come from the CIO, and the organization was hacked.

In another case, a network analyst received an email purportedly from the network administrator with a PDF document attached. The organization had significant turnover, and both the CISO and the network administrator had left. The uncertainty confused the employees, who were left wondering about the email and its authenticity and what they should do. In the end, they clicked on the PDF—installing malware.

How things work

Organizations also become more vulnerable during a leadership change because when a new leader arrives, it’s often out with the old processes and in with the new. Except the new processes haven’t been established yet.

Some leaders may be more task-oriented, while others may be more people-oriented. Some may be relatively conservative, others more innovative. When a leader departs, the organizational values and assumptions are in flux. One result is that employees are less skeptical when an email arrives that might have aroused suspicions before. It is just the way the new boss operates, they think. These must be the new rules.

One case we studied involved a midsize company where the prior CEO was a people person, and would interact with employees casually and informally. By contrast, the new CEO was perceived to be more structured and authoritative and would give specific instructions via email. As the employees began adjusting and the new CEO had an overseas trip, the administrative assistant received an email purportedly from the CEO. The email had an attachment, and the administrative assistant unsuspectingly opened it, not realizing it came from a noninstitutional email address. The systems were compromised, resulting in significant damage.

People pleasers

Perhaps the most obvious reason employees with new leaders are more vulnerable is one many people can identify with: We want to please the new boss.

In these cases, eager to show the new leader what team players they are, employees are more likely to agree to an email request before the actual authenticity of the message is determined. Nobody wants to take the chance of upsetting a new boss. Better to click and worry about the authenticity than question the boss and get on his or her bad side.

At the same time, those closest to a departing leader also have a greater probability of phishing susceptibility. For instance, when a user sees an email from a much-loved departing or former boss, the user may exhibit confirmation bias—the tendency to favor information supporting prior beliefs—by scanning only for a few familiar cues, such as the sender’s name. That confirmation bias may be especially pronounced when employees know an incumbent leader is leaving, and will make it even more likely that they will fulfill the email’s deceptive request.

Research suggests that in cases where the leader and the employee have a high attachment, there is a greater level of trust, and when the leader leaves the organization, the residual trust carries forward. In one of the cases we investigated, the employee kept reaching out to the former leader long after her departure. On one occasion, when a phishing email with the former supervisor’s name came in, the employee didn’t think twice before clicking on it.

Stay vigilant

What can be done about all this?

The steps to guard against phishing attacks are familiar—whether there’s a leadership change or not. Companies should keep user and administrative accounts separate, making it harder for network administrators to be targeted. They should identify a company’s critical assets and then keep them in a different part of the network, limiting the damage in case a phishing attack is successful. They should upgrade their security education, training and awareness programs.

But the message of our research is that in addition to doing all that, organizations should be aware of their heightened vulnerability during times of changes at the top. As they go through these periods of uncertainty, extra vigilance and gentle nudges and reminders will go a long way to ensuring security.


Catch all the Technology News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates & Live Business News.


Switch to the Mint app for fast and personalized news - Get App