Why CEOs can be the weakest link in cybersecurity
While it’s not the CEO’s job to identify every type of new IT attack vector or repel every scam email, their level of understanding of cybersecurity threats can make an enormous difference to the preparedness of their organisation to deal with the threat of cybercrime.
A CEO needs to be proactive when it comes to providing training and education resources to staff, to help them minimise their risk of inadvertently opening up the organisation’s IT network to attack.
This sends a clear enterprise-wide message that it is incumbent upon everyone – from the top of the organisation down to junior members of staff – to equip themselves with the knowledge required to defend the network.
This is critical, as any knowledge gaps can create a weak spot for intruders to exploit.
Unfortunately, in many cases, Australian CEOs are not earning top marks for their cybersecurity strategies.
Research by Vanson Bourne, for Mimecast’s 2018 State of Email Security report revealed that 44% of respondents believed that their CEO was the weak link in their cybersecurity operation.
Furthermore, only 28% of organisations said that they had adopted a complete cyber resilience strategy.
But perhaps the most alarming statistic to emerge from the survey — particularly when considering the wider prospects for cybersecurity awareness among Australian businesses — is that in 51% of cases, organisations believed that their CEOs would be unable to protect themselves from a direct attempt at a cyber-attack.
CEOs that have not taken the time to understand cybersecurity threats – and consequently have large blind spots in their knowledge – are less likely to run an organisation with a solid cybersecurity strategy in place.
Worse still, their approach to cybersecurity can permeate throughout the organisation because of the poor example the CEO sets in not giving cyber threats the appropriate level of attention.
This is concerning when one considers the potential reputational and financial damage that can result as a consequence of a breach.
While the blame for cybersecurity breaches has often fallen on not having the latest security systems in place, the quarterly Notifiable Data Breaches report released by the Office of the Australian Information Commissioner, for April 1 to June 31, 2019, identified human error as the source of 34% of all reported data breaches during that period.
These human errors included sending emails to the wrong recipient and unintentionally releasing company information, as well as clicking on links from phishing emails.
Chief Information Security Officers (CISO) and other IT leaders must also do more to convince CEOs to push cybersecurity awareness through the organisation from the top down.
A good way of achieving this is through the implementation of an organisation-wide training program that is interesting and engaging enough to make everyone, including the CEO, acutely aware of the threats and how to neutralise them.
The CEOs that are adopting an optimal cybersecurity stance recognise that no matter their business, they are just as likely to be targets for cyber-attacks as big banks and government agencies.
They’re also business leaders that can appreciate that much of their intellectual property is generated from customer data, so they must adhere to their social contract with consumers to protect that data or risk experiencing their wrath if they’re negligent.
Hackers have come to realise that rather than expending a huge amount of time, effort and expense into defeating high‐tech security systems or discovering zero‐day security bugs in software, it’s much easier – and far less costly and time-consuming – to use social engineering to exploit human weakness to pull off a scam.
It’s therefore imperative that CEOs understand this and lead by example by learning about the latest threats from their organisation’s security experts and ensuring that knowledge is shared enterprise-wide.
No-one should be left in any doubt over the need to remain vigilant when it comes to dealing with this type of exploit.
This article originally appeared on SecurityBrief.com.au and has been republished with permission.