Cybersecurity should be a top concern for any business, with strong policies and protocol put in place, and top executives leading by example. However, recent research has shown that more than half of senior managers disregard the rules, placing their organizations in jeopardy and making them an insider threat. This behavior is common in companies of all sizes. In fact, even many Fortune 500 companies take cybersecurity for granted and neglect to appoint a chief information security officer.
Why do senior executives appear to ignore such an evident threat? We frequently witness the devastating potential of an attack, and we know cybercriminals are growing ever-more sophisticated. The average cost of a breach, estimated at $3.86 million in 2018 and $3.92 million in 2019, is only expected to rise. Still, 57 percent of senior managers either resist or completely ignore the rules when it comes to cybersecurity.
Confidence can be expensive
Overconfidence is one reason senior executives may resist change or refuse to take security seriously. Executives might lack a clear understanding of the complexity of possible threats and could overestimate their cybersecurity savvy or the security solutions their organization already has in place.
While this perspective takes a dramatic turn immediately after an attack, by then, the reticence of senior executives already has a hefty price tag. They also might not be aware that they’re actually violating security policies.
Senior executives need to consider the cost of failure which, in many situations, can drive a business into the ground. Research from the Ponemon Institute shows the average cost of downtime could total $67 million per company over the two years following a breach.
While cybersecurity is often regarded as an overhead expense that’s complicated to understand and doesn’t generate revenue, its true function is to prevent financial loss, reputational damage and the legal fallout and fees associated with data breaches. Cybersecurity practices are an ongoing process that demands introspection, self-assessment and change.
Security protocol can be viewed as inconvenient
Senior managers sometimes view cybersecurity as a waste of time, and it might feel that way when the security team is doing its job. If nothing “bad” ever happens, but employees still have to undertake cumbersome procedures, executives might be inclined to forgo security measures for the sake of convenience. For example, they may turn off a security solution that makes their computer run slow or provides too many alerts, or may opt to use their business email on a personal, unsecured device.
One issue is that security policies are usually built in a one-size-fits-all approach, which don’t meet the unique needs or exposures of senior executives. Executives often have to adhere to policies set company-wide, while adding supplementary procedures that secure their increased access but that complicate their day-to-day activities. They may also have to stop using devices they prefer in favor of more secure ones issued by the company. If stringent security measures are perceived to impede their work, they may bend the rules.
Employee negligence is often underestimated
One common link in organizations of all sizes and all industries is the human element. Employee negligence accounted for 17 percent of all incidents in 2019, which includes falling for phishing attempts, sharing sensitive data to unsanctioned personnel outside the company and ignoring security policies. The human risk is surpassed only by external threat actors, which accounts for 20 percent.
When criminals succeed in penetrating the infrastructure of a company, they usually rely on people making the wrong choices, starting from simple mistakes like opening an attachment or clicking a link. While the employee may have had good intentions, their mistake is still negligence, and the end result is the same as if they had set out with malicious intent.
Social engineering is a broad term that covers all forms of phishing and physical security. It has three distinct components: phishing that launches a blanket attack with no particular target, spear phishing that often targets specific departments or low-level individuals in the company, and whale phishing, which targets C-level employees, who are viewed as high-value targets given their access inside the company. This is especially important, as we’ve discussed that c-levels don’t always follow security policies and often don’t have the same kind of training as regular employees.
Companies suffer breaches and security incidents all the time, and the raw data shows the naiveté of believing your company is sufficiently protected or that your employees will always do the right thing. The latest Hacked Off! study, which surveyed more than 6,000 infosec professionals, shows that 57 percent of all companies were compromised in one way or another in the past three years. Moreover, 24 percent of businesses had already suffered a data breach by the middle of 2019.
Converting senior executives into cybersecurity believers
It falls on everyone across the business to ensure cybersecurity protocol is not just being followed, but that it is also updated and fit for purpose. Ignoring protocol leaves an organization in an extremely vulnerable position. More specifically, it means those who resist are leaving their departments at risk. A breach can place senior staff in a very precarious position. That’s why it’s up to business decision-makers to lead by example — not just to protect the organization but also their position in the company.
The security team’s influence over C-level executives may vary, so it usually falls to the CISO to persuade executives to follow security policies. Ideally, senior management should undergo cybersecurity training designed for their level and that clearly outlines the company’s policies.
The best way to convert senior executives from potential insider threats into believers is to show them the financial impact of complacency. As individuals who are aware of all the company’s inner workings and revenues, unveiling the costs of a breach can help them adopt a more cyber-aware attitude, more than any training. For an executive, assigning a low priority to cybersecurity can mean the difference between a bright future for the organization or bankruptcy.