Why it’s time to stop security threat acceptance within the C-Suite

Why it's time to stop security threat acceptance within the C-Suite

Cybersecurity is no new phenomenon, nor is it a new threat to businesses. But with an increase of people working from home or outside of the office, there has been a drastic rise in successful cybersecurity attacks, creating a whole new realm of possibilities for cyber-criminals. 

This rise is so much of a concern that the government recently launched their first-ever cyber-security strategy to help step-up Britain’s defence and resilience against cyber-attacks – if that’s not a signal for us to step up, then what is? 

As we move forward, there’s a big issue which needs to be addressed – one that no one seems to be addressing – security breach acceptance within the C-Suite. Why? It is within the C-suite that the majority of financial attacks occur – a recent Verizon Data Breach Investigations Report (DBIR) found C-suite executives were 12 times more likely to be targeted in cyberattacks and 71% of these cyber-attacks were financially motivated.

With cyber-security being a very real concern for those who, in effect, would be personally financially impacted by a breach, you’d think there would be a greater focus on cyber security within the C-suite. Without realising though, C-suite executives forgo proper security protocol, choosing to override measures the IT team puts in place for everyone else due to the desire to have access to all data/company info. This reiterates that individuals must take responsibility at all levels within the business and cyber-security should not solely be the responsibility of the IT security team. 

MobileIron recently demonstrated that even IT security teams struggle to enforce protocols, finding that in 2020, 76% of executives made requests to waive security protocols. The same research found that CxOs within the C-suite are easily frustrated with the security measures put in place, making them less likely to follow the protocol than employees outside of the C-suite. No matter how frustrating this is though, the fact is that C-suite executives are jeopardising the security of their whole company by not adapting to the safety measures implemented within their own business. 

So, what can be done? It will take an attitude shift for one. It’s been reported that 71% of the IT decision-makers within businesses believe the c-suite are most likely to fall for attacks because they deem themselves too senior to receive IT style security training. In essence, it seems a case of ‘it won’t happen to me’ is occurring. Clearly, the relationships between IT, cyber-security and C-suite executives must be fixed first, followed by complete buy-in by all seniors to partake in the necessary training, and thus setting an example to other employees.

Perhaps to fix the relationship and reinstate some authority within the IT team, training should be provided by the IT security team to the C-Suite. And it should be personalised too – C-suites need to understand the level of information they are dealing with, and how easily it could be leaked, or a threat could occur. For example, do they realise the risk associated with accessing the cash flow statement from a train on their mobile phone is?

Another point to look at, and one often overlooked, is the use of multiple IT solutions and the unknown security risks. Let’s take for instance when an entire business runs on Microsoft Windows. It is all is all locked down and has great security in place but there are exceptions, members of the C-Suite want to run Apple Macs and iPads. There’s no security setup to cover these devices because the business is a Microsoft house. Now the people with access to the most sensitive company data are doing it from unmanaged devices. Again, this is where training and personalised cyber strategies come in.

All in all, we’ve established C-suite executives must start taking responsibility for their actions. Changing habits is hard, but companies cannot sit by and allow members of the c-suite to cause further threats to business. A culture of learning and understanding must be created to ensure everyone respects and upholds the measures put in place for the safety, not only of the company but of the people within it.

Scott Riley
Scott Riley

Share via
Copy link