Nearly 60% of organisations will fall victim to an email-based attack this year, and there’s a good chance the guilty party will be the CEO, according to Mimecast’s The State of Email Security 2018.
According to the report, 37% of respondents said their organisation’s CEO is a “weak link” in their cyber security programme. Evidence backs this up: Mimecast found that 31% of C-level employees had “very likely” sent sensitive data to the wrong person in the past 12 months, compared to just 22% of general employees.
C-level staff are also liabilities when it comes to phishing, with Mimecast finding that senior staff at 20% of organisations surveyed had fallen victim to a malicious email in the past year.
Lack of awareness
Respondents to the report agreed that the reason the C-suite is vulnerable to attacks is because they “undervalu[e] the role of email security”. In other words, they don’t recognise the importance of cyber security and don’t put in place organisational measures that will help everybody, themselves included, stay secure.
Peter Bauer, Mimecast’s CEO, said: “This is more than just an ‘IT problem.’ It requires an organization-wide effort that brings together many stakeholders, puts the right security solutions in place and empowers employees – from the C-suite to the reception desk – to be the last line of defense.”
Mimecast’s report suggests this isn’t happening. Only 11% of organisations said they continuously train employees on how to spot cyber attacks, and 52% perform training once a year. This is the bare minimum that organisations should be doing.
Ideally, organisations will deliver a series of staff awareness courses covering a range of security issues throughout the year. The courses don’t have to be long – everything you need to know can probably be discussed in under an hour – but even brief reminders ensure that security remains a top priority.
Commit to staff awareness training
Our Information Security Staff Awareness E-Learning Course teaches employees about the most important elements of information security. It aims to reduce the likelihood of human error by familiarising non-technical staff with security awareness policies and procedures.
This interactive course is aimed at any employee who processes information, uses information technology as part of their day-to-day work or uses the Internet as a means of conducting business. The course content isn’t technical, making it ideal for anyone – from C-level staff to interns.