When it comes to corporate cybersecurity, leading by example matters. Yes, it’s important for every employee to play their part in a security-by-design culture. But their cues more often than not come from the top. If the board and senior leadership can’t put the time in to learn basic cyber hygiene, why should the rest of the company?
Compounding things further, executives are themselves a highly prized target for threat actors, given their access to sensitive information and the power they have to approve big money wire transfers. So failing to practice what they preach could lead to significant financial and reputational damage.
Indeed, a new report from Ivanti reveals a significant cybersecurity “conduct gap” between what senior executives say and what they do. Closing it should be a matter of urgency for all organizations.
The conduct gap
The report itself is global in nature, produced from interviews with more than 6,500 executive leaders, cybersecurity professionals and office workers in Europe, the US, China, Japan and Australia. Among other things, it reveals a major disconnect between what business leaders say and what they actually do. For example:
- Nearly all (96%) claim to be “at least moderately supportive of or invested in their organization’s cybersecurity mandate”
- 78% say the organization provides compulsory security training
- 88% say “they’re prepared to recognize and report threats like malware and phishing”
So far, so good. But unfortunately that’s not the whole story. In fact, many business leaders also:
- Have requested to circumvent one or more security measures in the past year (49%)
- Use easy-to-remember passwords (77%)
- Click on phishing links (35%)
- Use default passwords for work applications (24%)
Executive behavior often falls well short of what is acceptable security practice. It’s also notable when compared to regular employees. Only 14% of employees say they use default passwords, versus 24% of execs. And the latter group are three times more likely to share work devices with unauthorized users, according to the report. Executives are also twice as likely to describe a past interaction with IT security as “awkward” and 33% more likely to say they don’t “feel safe” reporting errors like clicking on phishing links.
Steps to mitigate the executive threat
This matters, because of the access rights that senior leaders typically have in an organization. The combination of this, poor security practice and “executive exceptionalism” – which leads many to ask for workarounds that regular employees would be denied – makes them an attractive target. The report claims 47% of execs were a known phishing target in the past year, versus 33% of regular office workers. And 35% clicked on a malicious link or sent money, compared to just 8% of employees.
Security experts often talk about the need for a security-by-design or security-centric culture, where awareness of best practices and cyber hygiene permeates throughout the entire organization. That’s almost impossible to achieve if senior leadership isn’t embodying these same values. So what can organizations do to mitigate the cyber-related risks created by their executives?
- Carry out an internal audit of executive activity over the past year. This could include internet activity, potential risky behavior such as phishing click-throughs that are blocked and interactions with security or IT administrators. Are there any noteworthy patterns such as excessive risk-taking or miscommunication? What are the lessons learned?
The most important goal of this exercise is to understand how wide the executive conduct gap is, and how it’s manifest in your organization. An external audit may even be required to get a third-party perspective on things. - Tackle the low-hanging fruit first. This means the most common types of bad security practice that are the easiest to fix. It could mean updating access policies to mandate two-factor authentication (2FA) for all, or establishing a data classification and protection policy that puts certain materials out of bounds for specific executives. As important as updating policy is communicating it regularly and explaining why it was written, in order to avoid executive confrontation.
The focus throughout this process should be on putting controls in place that are as unintrusive as possible, like automatic data discovery, classification and protection. That will help to strike the right balance between security and executive productivity. - Help executives to join the dots between security malpractice and business risk. One possible way to do this is by running training sessions which use gamification techniques and real-world scenarios to help execs understand the impact of poor cyber hygiene. It could explain how a phishing link led to the breach of a major competitor, for example. Or how a business email compromise attack tricked an executive into wiring millions of dollars to fraudsters.
Such exercises should focus not only on what happened, and what lessons can be learned from an operational perspective, but also the human, financial and reputational impact. Executives would be particularly interested to hear how some serious security incidents have led to their peers being forced out of their roles. - Work on building mutual trust with senior leadership. This will take some IT and security leaders out of their comfort zone. As the report explains, it should mean “honesty and friendly support” rather than the “condemnation or condescension” that often follows when an employee makes a mistake.
The focus should be on learning from mistakes rather than singling out individuals. Yes, they should understand the consequences of their actions, but always within a framework of continuous improvement and learning. - Consider a “white glove” cybersecurity program for senior leaders. Executives are more likely than regular employees to say their interactions with security feel awkward. Their cyber hygiene is worse, and they are a bigger target for threat actors. These are all good reasons to devote special attention to this relatively small coterie of senior leaders.
Consider a special point of contact for interactions with executives, and specially designed training and on/offboarding processes. The goal is to build trust and best practice, and reduce barriers to reporting security incidents.
Many of these steps will require cultural change, which will naturally take time. But by being honest with executives, putting the right processes and controls in place and teaching them the consequences of poor cyber hygiene, you will stand a great chance of success. Security is a team sport, but it should start with the captain.
BEFORE YOU GO: 6 steps to getting the board on board with your cybersecurity program