Marketing Communications Manager at ERP Maestro.
The Worst C-level Security Mistakes
Your highest-level employees also pose some of the greatest risks to your company data. What common security mistakes are the C-suite making that could open you up to breach?
They are incredibly busy, they are always on the go and they have access to some of the most sensitive information your organization owns. Of course, I am speaking about the C-suite. CEOs, CIOs, CTOs, CMOs and every other executive with a title beginning with a “C” are some of the most critical members of your workforce, but, unfortunately,they are often some of the least security savvy employees.
Research reveals that time and again C-level executives are prone to security missteps. Due to their level of access to private information, this can end up costing an organization millions of dollars should bad behavior lead to a breach. In fact, a recent survey reveals that 75 percent of security executives believe managers within their organization are the most likely to bend or break data security rules.
Here are some of the worst C-level security mistakes.
Choosing convenience over security
Because they are often so busy, working well in excess of the 40-hour work week and traveling all over the globe, C-level executives want access to critical information fast –and can sometimes eschew security rules in the interest of getting it.
For example, executives might want to get information from a report and need to download it from an online source. While downloading assets from a dubious source online is certainly something the security team has cautioned against, there is a good chance your executive might take their chances regardless in the interest of time and productivity. Sadly, that could lead to downloading malware capable of collecting sensitive company data.If that happens, even conventional IT security solutions like firewall or antivirus can’t prevent the damage that will be done once an evasion takes hold of the computer.
Hopping on public Wi-Fi
A 2017 Mobile Security Report states that most organizations consider C-level employees, including the CEO, to be at the greatest risk of being hacked.That perception is due to their heavy travel schedule and their need for connectivity while on the road.
Vyas Sekar,an assistant professor of Electrical and Computer Engineering at Carnegie Mellon’s College of Engineering and a researcher at CyLab, is quoted in an article on The Economist as saying executives have a special ’risk of exposure.’
“C-level executives are public facing, traveling and connecting from possibly unsecured locations/networks while they are traveling, such as airports, hotels and client sites,” Sekarsays.
The report also found that while U.S. organizations rank high for concern about mobile security, their actions say something else as they continue to allow the use of public Wi-Fi hotspots by employees –including C-level executives.
Additionally, remote work is increasing among all levels of employees. As more executives participate in virtual work, there is the potential for greater risks. Starbucks might sound like a great place to set up shop, but the coffee shop giant’s Wi-Fi is public and prone to higher risks.
Failing to participate in awareness training
If you have a security awareness program in place for employees, it is important to ensure your executive management is also taking part. In this article from CIO, it advises executives, like any other employees, need to be reminded of the importance of security.
Executives must participate in security awareness training on a regular basis, according to Nathan Wenzler, chief security strategist at consulting firm AsTech Consulting.
“Security teams should augment their standard employee security awareness training with additional guidelines and details for executives, highlighting the greater risk and information exposure executives face because of the more public-facing aspect of their positions,” Wenzler notes in the article.
Forgetting about the target on their back
Executives aren’t just at risk –they face some of the GREATEST risk due to the nature of their job.
Jason Hong, a professor in the School of Computer Science at Carnegie Mellon University, also quoted by The Economist, asserts that executives are an extremely attractive prey to criminals who are willing to work hard at the long con and wait for the big pay-off from tricking a C-level employee.
“Executives tend to be explicitly targeted by smart and patient attackers,” Hong says. “Not only are executives strapped for time, they also have access to the most interesting information.”
Falling for whaling attacks
Think of all the emails you have in your inbox daily. Now triple or quadruple that and you have some ideas of what the typical executive receives daily. It’s no wonder they face such massive risk over email.
According to an article on CSO, the term ‘whaling’is used to describe the technique social engineers and hackers use to gain access to senior executives so they can “land the big one.” Techniques range from pretending to be another executive in the company, to sending a mock plea from a favorite charity or a fake note from an old friend. But because the target is an executive, hackers know the information they could access is highly valuable, and they will often conduct plenty of background research first, using social media or online public documents,to craft their “whaling spear” message.
Regrettably, it is not uncommon for executives to fall for this ruse. A Verizon 2015 study of 150,000 phishing emails found 23 percent of recipients (especially executives) opened phishing messages, and 11 percent opened attachments.
While the above slip-ups focus on executives’ individual behavior as a contributing factor to cyber vulnerabilities, there’s the bigger concern of how C-level beliefs and attitudes can impact company-wide security. C-level employees tend to express less concern about security than front-line security professionals. As a result, executives may be less likely to allocate funds for prevention tools or to participate in developing security strategies, which opens a company to increased risks.
Get proactive to prevent mistakes
Often, one of the best first steps you can take to help the C-level executive stay safe is to educate them on the cybersecurity vulnerabilities they face. While this will help executives to avoid mistakes, missteps will inevitably happen. To protect the company from these incidents, be sure to monitor and manage access controls and privileges for C-level executives. Once an outsider becomes an insider, they’re able to access what an executive can access. The ability to add and remove access on the go could make the difference between massive breach and minimal impact if an executive makes one of these common errors.