An urgent call to action has been issued by a new report from Ivanti that highlights a significant cybersecurity “conduct gap” between what senior executives say and what they actually do. Despite 96% of executives claiming to be supportive of their organization’s cybersecurity mandate, the report reveals that nearly half have requested to circumvent security measures, and more than three-quarters use easy-to-remember passwords. These actions, compounded by the fact that executives are highly prized targets for threat actors, pose a significant risk to organizations.
The report, which is global in nature, reveals that executives are failing to lead by example when it comes to cybersecurity. Their behavior falls well short of acceptable security practice and is notable when compared to regular employees. This is concerning given the access rights and “executive exceptionalism” that often leads them to ask for workarounds that regular employees would be denied. As a result, this makes them an attractive target for cyberattacks, with 47% of execs being a known phishing target in the past year and 35% clicking on a malicious link or sending money as a result.
It is clear that there is a need for a security-by-design or security-centric culture within organizations, where awareness of best practices and cyber hygiene permeates throughout the entire organization. However, this is almost impossible to achieve if senior leadership isn’t embodying these same values. Therefore, it is imperative for organizations to take steps to mitigate the cybersecurity risks created by their executives.
One of the first steps is to carry out an internal audit of executive activity over the past year to understand the extent of the executive conduct gap and how it’s manifest in the organization. Tackling low-hanging fruit would involve fixing the most common types of bad security practice that are easiest to address, such as updating access policies to mandate two-factor authentication for all. Additionally, it is important to help executives understand the impact of poor cyber hygiene by running training sessions using real-world scenarios and gamification techniques.
Building mutual trust with senior leadership and implementing a “white glove” cybersecurity program for senior leaders is also crucial. These steps require cultural change and will take time, but by being honest with executives, putting the right processes and controls in place, and teaching them the consequences of poor cyber hygiene, it is possible to set the organization up for success.
In conclusion, security is a team sport, but it should start with the captain. Organizations must address the cybersecurity conduct gap and instill a security-centric culture from the top down to protect against the significant financial and reputational damage that can result from executive malpractice. By doing so, they will be able to create a more secure and resilient business environment that is better equipped to defend against cyber threats.