Bolster office security. First and foremost, it's up to IT to bolster security for the boss, both in the office and when he wants to work from home, by making sure anti-malware software and services are up to date at the desktop, server and network levels.
The most basic security practices, including frequently changing passwords, must be strictly enforced as well, and it's imperative that any security holes in Word, Excel or Acrobat are plugged well and quickly. And IT should especially ensure that the operating systems on handheld devices -- typically beyond the scope of desktop antivirus programs -- are always up to date as well.
Get the word out. IT managers should instruct top execs to notify the appropriate person immediately if they click on a Word, Excel or PDF document received via e-mail and the application appears to launch but then shuts down and relaunches. That happens as a Trojan attempts to cloak itself behind the real application, Hyppanen explains.
Company executives, and indeed any computer users, should be even more paranoid when an e-mailed document requests that they run resident macros. Common sense helps in such cases. Does it make sense that Hilda in legal needs the COO to run a Word macro? If it doesn't, don't run it.
Make the road safer. Since high-level executives tend to roam, their IT staffs must make sure they use hygienic connectivity practices. CEOs and CFOs should always use a VPN when linking into company networks while on the road, and they should be instructed never to send confidential information of any kind -- including personal information -- over an unsecured Wi-Fi connection.
"Executives as a group have pushed a lot of enterprises into reluctantly [giving them] mobility. IT has had to open up the network for senior management who want Treos and smart phones to access e-mail," observes Stan Schatt, an analyst at ABI Research, an Oyster Bay, N.Y.-based market research firm that specializes in emerging technologies.
But "in many cases, these same executives are not particularly careful, and IT has had to develop standard properties for this group -- VPNs, secure home routers and so forth," Schatt says.
One recurring theme among IT officials is that top execs, who are used to their positions of power and privilege, don't like to be told how and when to use their PCs and handheld devices. They want to use these tools when and where needed, regardless of their surroundings and the attendant security (or lack thereof).
Many won't even use VPNs to access e-mail. "They're not used to being told what to do," says the IT manager at the Fortune 500 financial institution.
One executive at that company put the private 800 number and pass code for corporate conference calls on his shareable Google calendar. Since those numbers are reused, this was no small matter. "We did a Google search and found that number all over the place," the IT manager says. "If bad guys wanted information, they'd just need to dial in and listen to a few of those calls."
Be wary of social networking. Finally comes the brave new world of social networking, which appeals to executives as much as it does to the rank and file, with one big difference -- would-be criminals may be watching high-profile posters with something other than benign interest.
C-level executives who update their corporate whereabouts and accomplishments on any of the professional and social networking sites are potentially putting themselves at more risk.
"I would recommend that companies monitor what information their employees make public," says Symantec's Ramzan. "Many times people share considerable detail about their lives. If those details can be mined, attackers can put together a comprehensive dossier of information on a person that can later be used to facilitate identity theft."
In short, corporate IT professionals have to bolster their server, PC and network security technology, but more important, they need to make sure the people they support are aware of social engineering tactics that could prompt them to unwittingly give away the farm. Or their bank account. Or their business.
Darrow, a Boston area freelancer, can be reached at firstname.lastname@example.org.