Cyber Security

5 Ways to Manage the Cyber ​​Threat for Executives

esteria.white
By esteria.white Add a Comment

Business Security

Failing to practice what you preach, especially when you’re a juicy target for bad actors, creates a situation fraught with considerable risk.

Phil Muncaster

November 30, 2023

,
5 minutes. read

Leaders Behaving Badly: 5 Ways to Manage the Executive Cyber ​​Threat

When it comes to business cybersecurity, it’s important to lead by example. Yes, it is important that each employee plays their role in a safety culture by design. But their signals most often come from above. If the board and senior management can’t dedicate the time necessary to learn the basics of cyber hygiene, why should the rest of the company?

To make matters worse, executives themselves are a popular target for threat actors, given their access to sensitive information and the power they have to approve large wire transfers. So, failing to practice what they preach could result in significant financial and reputational damage.

Indeed, a new report from Ivanti reveals a significant cybersecurity “conduct gap” between what leaders say and what they do. Closing it should be a matter of urgency for all organizations.

Misconduct

The report itself is global in nature, drawn from interviews with more than 6,500 executives, cybersecurity professionals and office workers in Europe, the United States, China, Japan and Australia. Among other things, it reveals a major disconnect between what business leaders say and what they actually do. For example:

  • Nearly all (96%) say they are “at least moderately supportive of or invested in their organization’s cybersecurity mandate.”
  • 78% say the organization provides mandatory safety training
  • 88% say they are “ready to recognize and report threats like malware and phishing”

So far, so good. But unfortunately, that’s not the whole story. In fact, many business leaders:

  • Asked to bypass one or more security measures in the past year (49%)
  • Use passwords that are easy to remember (77%)
  • Click on phishing links (35%)
  • Use default passwords for business apps (24%)

Leadership behavior often falls far short of what constitutes acceptable security practice. This is also remarkable compared to regular employees. Only 14% of employees say they use default passwords, compared to 24% of executives. And the latter group is three times more likely to share work devices with unauthorized users, according to the report. Executives are also twice as likely to describe a past interaction with IT security as “troublesome” and 33% more likely to say they “do not feel safe” reporting mistakes like clicking on phishing links .

Measures to mitigate executive threat

This is important because of the access rights that senior leaders in an organization typically have. The combination of this, poor security practices and “leadership exceptionalism” – which leads many to demand workarounds to turn away regular employees – makes it an attractive target. The report claims that 47% of executives have been a known phishing target in the past year, compared to 33% of regular office workers. And 35% clicked on a malicious link or sent money, compared to only 8% of employees.

Security experts often talk about the need for security by design or a security-centric culture, where awareness of best practices and cyber hygiene permeates the entire organization. This is almost impossible to achieve if senior management does not embody these same values. So, what can organizations do to mitigate the cyber risks created by their leaders?

  1. Carry out an internal audit of management activity over the past year. This can include internet activity, potentially risky behaviors such as blocked phishing clicks, and interactions with security or IT administrators. Are there any notable trends such as excessive risk-taking or poor communication? What are the lessons learned?

    The most important goal of this exercise is to understand the extent of leadership misconduct and how it manifests in your organization. An external audit may even be necessary to get a third party’s perspective on things.

  2. Go after the lowest-hanging fruit first. This means the most common and easiest to fix types of poor security practices. This could involve updating access policies to require two-factor authentication (2FA) for everyone, or establishing a data classification and protection policy that prohibits certain documents from specific executives. It is as important to update the policy as to communicate it regularly and explain why it was written, to avoid any confrontation between management.

    Throughout this process, the focus should be on making controls as non-intrusive as possible, such as automatic discovery, classification and protection of data. This will help strike the right balance between security and manager productivity.

  3. Help leaders make the connection between security malpractice and business risks. One possible way to do this is to hold training sessions that use gamification techniques and real-world scenarios to help leaders understand the impact of poor cyber hygiene. This could explain how a phishing link led to the breach of a major competitor, for example. Or how a business email compromise attack tricked an executive into transferring millions of dollars to fraudsters.

    Such exercises should focus not only on what happened and what lessons can be learned from an operational perspective, but also on the human, financial and reputational impact. Executives would be particularly interested in knowing how some serious security incidents led their peers to to be expelled of their roles.

  4. Work to establish mutual trust with senior management. This will push some IT managers and security managers out of their comfort zone. As the report explains, this should mean “honesty and friendly support” rather than the “condemnation or condescension” that often follows when an employee makes a mistake.

    The focus should be on learning from mistakes rather than on individuals.. Yes, they must understand the consequences of their actions, but always within a framework of continuous improvement and learning.

  5. Consider a “white glove” cybersecurity program for senior leaders. Managers are more likely than ordinary employees to say that their interactions with security feel awkward. Their cyber hygiene is worse and they are a bigger target for bad actors. These are all good reasons to devote special attention to this relatively small coterie of senior leaders.

    Consider a special point of contact for interactions with leaders, as well as specially designed training and onboarding processes. The goal is to build trust and best practices, and reduce barriers to reporting security incidents.

Many of these measures will require cultural change, which will naturally take time. But by being honest with leaders, putting the right processes and controls in place, and teaching them the consequences of poor cyber hygiene, you’ll have a great chance of success. Safety is a team sport, but it has to start with the captain.

BEFORE YOU LEAVE: 6 Steps to Involve the Board of Directors in Your Cybersecurity Program

Leave a comment
Lost your password?