A recent Dark Reading article – The Real Reason Why the C-Suite Isn’t Complying with Security – revealed some interesting insights into how corporate leaders are seeing cybersecurity. The article cited survey results showing 57 percent of infosec professionals globally say key executives are least likely to comply with cybersecurity policies. The article goes on to mention that 98 percent of C-suite executives note they have some management responsibility for security.
So, where’s the disconnect?
There are likely many factors that go into why there’s a perception of non-compliance among C-level executives. Lionbridge CSO, Douglas Graham, points to a few possible reasons.
Across my career, I’ve found many C-suite executives are not fully aware when they aren’t in compliance; rather, others often make decisions for them based on what they think the executive might or might not tolerate. It’s time to take a look at the controls or the culture. CISOs need to work with the C-suite and other key influencers to explain the reason behind the controls and not just demand compliance for compliance sake, even if that takes more time.
That is one point the article drives home. That while the C-level executives may feel they are in compliance, the lack of communication with them can spell trouble. The C-level has unique needs that others in the organization may not realize – the necessity for a secure network connection outside of the building and on numerous devices, access to sensitive data and financial information – which might facilitate the need for adjustments to the cybersecurity protocols in place as a result.
Getting cybersecurity right at the C-level is becoming more paramount. As we pointed out in a blog earlier this year, the C-level suite is a growing target for social engineering phishing attacks. This year’s Verizon Data Breach Investigations Report show that social engineering threats that target the C-suite are up 12-fold over 2018 levels. Frequently the social engineering phishing attacks came in the form of emails that appeared to be from one C-level executive to another – often a CFO with access to financial assets. And, since these high-level executives are rarely challenged over their actions in the near-term, they are growing as a target attack vector.
The Dark Reading article concludes that executives really do care about cybersecurity, and while we’re sure that’s the case, at the end of the day security is only as good as the humans and their actions – whether the human is sitting on the top floor corner office, or in a cubicle somewhere else. What is needed beyond strong, company-wide policy (and communication) is cybersecurity automation.
SlashNext Real-Time Phishing Threat Intelligence identifies live zero-hour threats in real-time and allows organizations to respond in real-time with automated blocking through their firewall.
In addition, our Targeted Phishing Defense solution protects against previously unknown C-level social engineer attacks. Its automated and uses real-time detection to identify data exfiltration, C2 communications and phishing threats that slower technologies seem to miss.
You can check this technology out yourself. Contact us to learn more or try SlashNext Real-Time Phishing Threat Intelligence free for 15 days.