The following is a guest post from our partner Villbo Group.
Security awareness training is one of the best measures an organization can take to enlighten its staff members on cyber threats. Training not only informs, but goes a notch higher to empower staff to be able to pick up on cyber threats – e.g. social engineering scams – and respond appropriately. Organizations that have implemented security awareness are reaping benefits and minimizing the cyber threats, especially considering malicious actors are now targeting organizations’ weakest points: humans.
As security awareness gains popularity there is a growing and worrying trend that the C-suite is being exempted from the training. It’s not a surprise to have an organization implement awareness training but exempt executives and focus only on the operational staff. The C-suite often get exemptions because they are busy with business strategy; the idea is that training should be for the rest of the staff members.
The C-suite is highly targeted and given the recent trends, they are also at a higher risk of being compromised. This is motivated by the position they hold and data they consume, which is of immense value if it finds its way to competitors or falls in the wrong hands. They also access the same applications and network resources as the rest of team, and hence need to be informed of any possible cyber threats and how to respond to or defend against them.
Here are 7 strong reasons why cybersecurity awareness training is vitally important for the C-suite.
1. Company Reputation is at Risk
If a data breach occurs and it’s traced back to an executive who ignored setting a complex password, this can lead to a bad reputation. Bad news travels fast. Reputation is at risk for not only the C-suite but the entire organization, as we know they speak from strong company position. Hence any information that leaks, either true or false, can damage everyone.
2. High Cost of Cyber Threats
Cyber risks can’t be ignored and MUST be a topic of discussion in boardrooms, given the risk and potential damage that tags along. Global cyber crime cost is approx $450 billion; this is not a figure to ignore! Getting to know the means malicious actors are using to leak data and extort money is part of corporate risk management. Security awareness training presents an opportunity for executives to understand the need for cybersecurity investments including the need to develop Human Firewalls.
3. Right Group to Set the Tone
The C-suite sets an example by endorsing the security awareness programs. Their attendance and participation not only shows leadership from the top, but also gives a rubber-stamp of approval to the program. In a corporate environment nothing succeeds as a program that’s not getting backed from executives. It shows commitment and the importance of security awareness by setting the right pace for the rest of their employees to follow.
4. Mr. Hacker Knows You Are Skipping Awareness Training
Malicious actors take time to learn their targets before launching a successful attack. This involves getting to know the individual corporate culture, and it’s not surprising for them to also know that the C-suite skips awareness training. Executives can thus become a target for criminals since they know that uninformed users will more easily fall prey to their social engineering skills and gimmicks. Spear phishing targeting the C-suite is in most cases very professionally crafted and will use lingo that’s commonly used by the executives.
5. Stay Focused & Stay Ahead
Learn the easy way or be forced to learn the hard way. Malicious actors of today are usually not teenagers wearing a hoodie in a dark basement. They are organized groups that have solid structures, processes and procedures – they’ve professionalized their crimes. They are well-funded and have the skills and other resources to compromise many organizations and government. To combat this real threat, leadership of organizations must be both vigilant on cyber crime trends and learn how to make strategic decisions on how best to protect organization critical asset: data.
6. You ARE a Target
Business Email Compromise (BEC) scam – also referred to as CEO fraud – is exponentially growing, leading to huge losses for organizations. The FBI reports that over $2.3 billion has been lost to fraudsters this way in under 3 years. The BEC scam is a phishing email purporting to be from the CEO, and is addressed to staff asking to transfer funds to an offshore account.
The C-suite needs to know that their position is under attack, and that defense of this is well-articulated through security awareness training. Executives who takes part in security awareness training are better placed to instill a security culture in their organization. They can communicate clearly to their staff on what to watch out for, and encourage skepticism where they encounter situations that look outside the norm.
7. It May Cost Your Hard-Earned Career
If you love your job, you better fall in love with awareness training. Walter Stephan, CEO of Austria’s FACC, lost his job earlier this year, and it’s all attributed to a fraudulent transfer of over €50 million (€10.9 million of this transfer was halted by FACC just in time) that was traced to CEO fraud – or as they called it, the “Fake President” scam. This was a 17-year-old career brought down by a single email scam.
The C-suite is not just a target; they are now actual victims of cyber threats. It gets down to personal responsibility. There is no stronger case for the importance of awareness training for executives than in the example above.
Security awareness programs for the C-suite need to be straightforward, speak their language and provide solid guidelines on how executives can be champions for their organizations. The C-suite is not only exposed to the same cyber threats as everyone else in the organization, but potentially even other more well-crafted schemes. It’s clear that no exception should be given despite the often over-worked position they hold. Executives fully armed as Human Firewalls will greatly improve the overall security posture of the entire organization.
Editor’s Note: This blog article was written by an outside contributor – a guest blogger – for the purpose of offering a wider variety of content for our readers. However, the opinions and recommendations expressed in this guest blog are solely those of the contributor, and do not necessarily reflect those of The Security Awareness Company, LLC. If you are interested in writing something for us, please do not hesitate to contact us: firstname.lastname@example.org.