For many companies, the C-Suite of Executives are the focus of contemporary hackers. Often those in the upper levels of management ask for, and are granted, exemption from company-wide security rules. Protection from phishing schemes, click-bait ads and viruses spread by email are dropped. Management is more likely than the rank-and-file to be distracted by other pressing work matters and consequently click first, then curse later, after accidentally causing some damage. This can expose their firms to intellectual property theft or damage of data or personal information. This is not meant to belittle executives, merely to point out that security measures protect everyone, equally.
Executives Are Vulnerable Public Figures
Company owners and executives are frequently in the media – print, television, or any number of social media channels. They are public figures, not nearly as anonymous as the bulk of their workers, so a portrait of them can be built, and their contact information harvested quickly. A Verizon report on data breaches noted that executives top the list of employee categories targeted in social-engineering attacks, such as “spear phishing,” in which an email seems to come from a person or organization the executive implicitly trusts. “Not only do [executives] have a higher public profile than the average end user, they’re also likely to have greater access to proprietary information,” the report said. As a result, information they give up by accident can have a much higher monetary value, and be more damaging to their company’s reputation, than a single staff accountant.
Exceptions Are Dangerous
When top bosses demand special privileges when using their technology, few IT workers dare to refuse the hand that feeds them, it seems. A Big 4 financial services firm’s risk consulting group, ironically enough, had over 60,000 client files encrypted with the CryptoLocker ransomware application. This came as a result of one manager being exempted from certain security and VPN services on a company laptop for testing purposes. It took almost 4 days of 2 network admin’s time to rebuild and restore the data, file by encrypted file. Implementing a sophisticated, multi-level defense such as our security-as-a-service with hardware and software firewalls and spam filters help isolate threats before they reach your desktop, making sure everyone benefits equally from external security threats, and their own trusting nature.
Executives Are Busy – We Get That
Companies may hire a firm such as Quartet to test their employees’ security savviness, sending staff emails containing links similar to those an attacker would send. During such simulated attacks, we found management was 25% more likely than their staff to click on links that in a real scenario could install malware. One reason is that most senior leaders do not have the time or have “been around long enough to know better”, and miss out on developing cautious email habits. Hacktivists’ methods change and become more sophisticated; everyone must keep up with current trends and styles of criminality.
In the end, if your IT plans are sound, your data will be restored and business will continue. How will your company’s reputation survive? Make it common practice to have the same levels of security and controls for everyone, or the many costs will quickly become apparent.