Failing to practice what you preach, especially when you are a juicy target for bad actors, creates a situation fraught with great risk.
30 Nov 2023
5 min. read
When it comes to corporate cybersecurity, it leads by example. Yes, it is important for every employee to play their part in a culture designed around security. But their announcements more often than not come from above. If the board and senior leadership can’t take the time to learn basic cyber hygiene, why should the rest of the company?
Adding to matters, executives themselves are a valued target for threat actors, given their access to sensitive information and the power they have to approve large cash transfers. So failing to practice what they preach can lead to significant financial and reputational damage.
In fact, a new report from Ivanti revealed a significant cybersecurity “performance gap” between what senior executives say and what they do. Closing it should be a matter of urgency for all organizations.
The conduct gap
The report itself is global in nature, created from interviews with more than 6,500 executive leaders, cybersecurity professionals and office workers in Europe, the US, China, Japan and Australia. Among other things, this reveals a huge disconnect between what business leaders say and what they actually do. For example:
- Almost all (96%) claim to “at least moderately support or invest in their organization’s cybersecurity mandate”
- 78% say the organization provides compulsory security training
- 88% say “they are prepared to identify and report threats such as malware and phishing”
So far so good. But unfortunately that is not the whole story. In fact, many business leaders also:
- Asked to avoid one or more security measures in the past year (49%)
- Use easy-to-remember passwords (77%)
- Clicking on phishing links (35%)
- Use default passwords for work applications (24%)
Executive behavior often falls short of what is acceptable security practice. This is also unusual compared to regular employees. Only 14% of employees say they use default passwords, compared to 24% of executives. And the latter group is three times more likely to share work devices with unauthorized users, according to the report. Executives are also twice as likely to describe a past interaction with IT security as “awkward” and 33% more likely to say they don’t “feel safe” reporting errors such as click of phishing links.
Steps to reduce executive threat
This is important, given the access rights that senior leaders in an organization typically have. The combination of this, poor security practices and “executive exceptionalism” – which leads many to ask for workarounds that regular employees are denied – makes them an attractive target. The report claims that 47% of executives were a known phishing target in the past year, compared to 33% of regular office workers. And 35% have clicked on a malicious link or sent money, compared to just 8% of employees.
Security experts often talk about the need for a security-by-design or security-centric culture, where awareness of best practices and cyber hygiene permeates the entire organization. That is almost impossible to achieve if the senior leadership does not embody the same values. So what can organizations do to mitigate the cyber-related risks posed by their executives?
- Conduct an internal audit of the executive’s activity over the past year. This may include internet activity, potentially risky behavior such as phishing clicks being blocked and interactions with security or IT administrators. Are there any appropriate standards such as excessive risk-taking or miscommunication? What are the lessons learned?
The most important goal of this exercise is to understand how wide the executive behavior gap is, and how it is reflected in your organization. An external audit may be required to get a third party perspective on things.
- Get the low hanging fruit first. This means that the most common types of bad security practices are the easiest to fix. This could mean updating access policies to mandate two-factor authentication (2FA) for everyone, or establishing a data classification and protection policy that places certain materials out of limit for certain executives. Just as important as updating the policy is communicating it regularly and explaining why it was written, to avoid confrontation with the executive.
The focus throughout this process should be on putting controls in place as unobtrusive as possible, such as automatic data discovery, classification and protection. That helps strike the right balance between security and executive productivity.
- Help executives join the dots between security malpractice and business risk. One possible way to do this is to run training sessions that use gamification techniques and real-world scenarios to help executives understand the impact of poor cyber hygiene. It might explain how a phishing link led to a breach of a major competitor, for example. Or how a business email compromise attack tricked an executive into wiring millions of dollars to fraudsters.
Such exercises should focus not only on what happened, and what lessons can be learned from an operational perspective, but also the human, financial and reputational impact. Executives are especially interested in hearing how some serious security incidents have led to their peers forced out in their papers.
- Work to build mutual trust with senior leadership. This will take some IT and security leaders out of their comfort zone. As the report explains, this should mean “honesty and friendly support” rather than the “condemnation or humiliation” that often follows when an employee makes a mistake.
The focus should be on learning from mistakes rather than picking on individuals. Yes, they must understand the consequences of their actions, but always within a framework of continuous improvement and learning.
- Consider a “white glove” cybersecurity program for senior leaders. Executives are more likely than regular employees to say their interactions with security felt unpleasant. Their cyber hygiene is worse, and they are a bigger target for threat actors. These are all good reasons to devote special attention to this relatively small group of senior leaders.
Consider a special point of contact for interactions with executives, and specially designed training and on/offboarding processes. The goal is to build trust and best practice, and reduce barriers to reporting security incidents.
Many of these steps will require a culture change, which will naturally take time. But by being honest with executives, putting the right processes and controls in place and teaching them the consequences of poor cyber hygiene, you stand a great chance of success. Security is a team sport, but it must start with the captain.
BEFORE YOU GO: 6 steps to getting on board with your cybersecurity program