In an organizational setup, executives sit at the top of the access level hierarchy. Most likely, your company’s executives will have more access privileges and sensitive information than most of your employees. As Uncle Ben said, with great power comes great responsibility. Accordingly, executives must ensure that they follow good security practices. If not, the extent of damages to the company will be exponentially more than a regular employee getting hacked. From an attacker’s perspective, executives are the highest value targets for them to hunt and exploit.
We have observed that attackers are increasingly relying on social engineering techniques to gain access or impersonate an executive. One such social engineering attack is whaling in which the attackers target celebrities and C-level executives. Further, executives often tend to be the least aware group of individuals in your organization. For reasons like these, a company must organize security awareness training programs for executives. Apart from general security threats a company faces, executives should also be aware of potential threats specific to their role within the organization.
For example, CMO will have unrestricted access to marketing data. Similarly, CTO will have access to your entire technical infrastructure, and COO will have operational information. Depending on the role of an executive within your company, the type of data they can access can be a crucial factor.
LIFARS’ CISO as a Service is designed to address organizations’ information security leadership needs. Our CISOs are highly skilled at establishing, improving, and transforming Cybersecurity Programs focused on maximizing business values by minimizing risks and optimizing opportunities.
Should executives be concerned about cybersecurity?
Dynamics in our cyberspace are continually changing. Lately, malware and hacking tools are being sold like commodities. This allows the simplest of attackers to carry out successful large-scale attacks. On the other hand, we have adopted technologies such as cloud-based applications, smartphones, and social media platforms. While this adoption has a good set of advantages, every user in your organization’s IT ecosystem becomes a potential weak point.
A company does not need to earn millions of dollars in profit to fall victim to a cyber attack. Attackers always remain on the lookout to launch malicious attacks to affect your business. If you thoroughly study the data breaches in the last five years, you will find that
Most of the victim organizations had compliance practices in place. However, those certificates did not prevent them from getting hacked.
The executives, or the board, need to recognize that mere compliance to a standard or a law does not guarantee cyber resiliency and checking the boxes is not a solution anymore.
Is it possible to train executives?
Like regular employees, executives or board members do not have sufficient time to sit in training sessions lasting for a few hours. For this very reason, the concerned team must prepare a specially customized training schedule. At times, it may be a good boost for your staff to see that the executives are attending security awareness training with them. Security training for executives should be straight on point with little fluff.
One of the primary outcomes of a security training session for executives should be educating them to identify spear phishing, whaling, and advanced persistent threats. Apart from this, the training session can cover:
- Overview of corporate security policies
- Organization’s current threats and risks
- Risk management policies
- Risks specific to the executives
- Recent incidents and mitigation
Your organization’s executives may have a good high-level understanding of cyberattacks and business risks. However, security awareness gap in modern organizations is broad and deep. Apart from reporting security incidents, security professionals also have a responsibility to bridge the existing gap. In our experience of working with executives of different organizations, we have found that:
- CISO/CIO should focus on building real and one-on-one relationships with executives and board members. At times, casual conversations help in establishing a sense of mutual trust. Building on this trust, CISO/CIO can have a better understanding of the said executive’s roles and objectives.
- Your company’s executives are concerned about organizational safety. But they might not understand complicated attack vectors and technical measures implemented by your security team. While explaining good security practices, the explanation should be clear, concise, and straightforward.
- Using real-life explanations or incidents to put forth a point always helps. When you use such examples, the executives can easily relate to how the same experience would have affected them and the company.
- Delivery of good security practices and how they are communicated make a massive difference in their adoption by the executives.
Ten recommended security practices for the executives
- Take the lead on implementation and compliance of corporate security policies. Or in other words, avoid any activity that shows that an executive is not serious about the company’s cybersecurity. An excellent example of such activity is asking an employee to share their username and password.
- Use strong and different passwords across all accounts and devices, including laptops, desktops, mobile devices, emails, etc. Utilize two-factor authentication wherever available.
- Avoid inserting any external storage device into a laptop or computer system.
- Ensure that firewall is set up on your computer system, and it is working.
- Ensure that anti-virus/anti-malware solution is working as expected.
- Do not download any types of files from untrusted sources.
- Avoid opening or interacting with emails that you are not expecting or have not communicated earlier.
- Any unexpected incident or abnormal behavior of systems and applications should be reported immediately to the concerned team.
- Limit the sharing of personal information on social media platforms.
- Follow the organization’s information-sharing guidelines concerning sharing company news and updates.
One cannot deny that employee negligence is not a leading cause of security breaches across the globe. Creating a security-aware culture is a cost-effective yet efficient way to prevent costly mistakes. As businesses continue to rely heavily on technology, it becomes crucial than ever for their executives to lead by example and set standards for employees.
National Cyber Security Centre (UK)’s Cyber Security Toolkit for Boards