C-Suite executives are busy, keeping track of profits and many people and projects at once. Nevertheless, this can't be an excuse for not keeping up with cyber security. Here's help to encourage C-suite buy-in and advocacy for security awareness in your organization.
If the people leading the organization take a laissez faire attitude to security awareness training, how can any better be expected of the people working for them? Yet employees represent one of the biggest threats to IT's efforts to protect applications, networks, systems and physical premises.
They typically don't mean to do it, but employees can be the ones to blame for:
Your business's senior executives can also exacerbate the problem by not prioritizing security awareness or taking cyber security seriously enough. Perhaps because they are so used to delegating and having to trust those working for them, they might assume that they don't have to do the training themselves. Someone else will take care of cyber security for them. Yet this isn't the case.
Everyone in the organization - from the CEO to the CEO's granddaughter intern - can benefit from taking the time to learn about the latest in cyber security and new threats and challenges. The organization will benefit in the process.
Quite often, people don't bother with security awareness because they feel like they already know all they need to know. Perhaps they took training when they first started with the company (in fact, this should be a standard part of your security policy).
Well, whether that was six months ago or six years ago, they could likely benefit from an updated understanding of the threats, what bad actors are doing to gain access to unsecured devices, networks, and applications, and how laws and compliance regulations are changing.
Another point of resistance comes from people's belief that it won't happen to them. Sigh. Wouldn't that be nice! The threat of cyber attack is a day-to-day reality for any organization these days.
A good counter to this perspective is that it's not worth taking that risk. Especially with cyber criminals not only going after obvious targets such as financial or healthcare organizations but also trying to access business's computers to power their crypto mining efforts. Reminding them also of the many compliance requirements for regular training could help too.
You might also remind your C-Suite execs of the advantage of everyone in the organization working from the same playbook.
A 2017 study reported in the Harvard Business Review found "80% of the executives surveyed in the U.S. believe cybersecurity to be a significant challenge facing their business, while only 50% of IT Decision Makers (ITDMs) agree." Meanwhile, the C-suite was seriously underestimating the average cost of a breach: ITDMs estimated the average cost at $27.2 million compared to the $5.9 million cited by executives.
Clarifying for leaders the other costs of a breach could help too. A Ponemon study found breached businesses could expect:
When viewed from this perspective, can the C-suite afford not to buy into security awareness and training?
Every decision someone makes in the business, at any level, can have risk implications.
Some 95% of all attacks occur because of a basic level failure, according to Jeremy Bergsman, practice leader at professional-services company Gartner.
"Most breaches happen when people are doing the right thing," Bergsman told HR Executive. "Strong anti-malware is in place, systems are configured properly, but one small thing may have been forgotten. It's that small, basic measure that significantly increases the chances of an attack."
To bring everyone into alignment taking cyber security seriously, encourage them to assume the worst. Expecting that at some point your organization will be dealing with a breach, you can plan incident response with table-top exercises engaging the executives in decision-making related to their roles. Confronting potential costs and recognizing their responsibilities can help curtail a disconnect.
Educate everyone throughout the organization. All employees need to understand how attackers can exploit the information they gather from reconnaissance efforts to craft targeted attacks. Help employees to understand the breadth of threats out there. For example, theft of sensitive data or breach of personal information is not all that bad actors might want to do. Businesses also run the risk of ransomware, intellectual property theft, hacktivism, and more.
Penetration testing and social engineering testing can help drive the point home for employees - even C-suite execs. RedTeam Security offers application, network, physical, and IoT device penetration testing to help identify and fix vulnerabilities, with extensive reporting to help leadership not only understand the vulnerabilities identified but to map out a viable path to correct them.
Reach out to our experts today to begin planning a more secure future for your organization.