C-level employees are putting their organisations at risk by neglecting cyber security practices, a new report suggests.
According to McAfee’s Grand Theft Data II: The Drivers and Shifting State of Data Breaches, 61% of respondents believe executives demand greater lenience when it comes to cyber security policies and processes. This includes things such as choosing not to attend staff awareness courses or not being subjected to access controls.
Almost two thirds (65%) of respondents argued that senior employees who ignored their cyber security obligations were directly responsible for a data breach.
Security controls exist for a reason
McAfee’s findings are disheartening for several reasons – the most obvious being that data breaches pose a substantially smaller risk if you don’t make basic mistakes. That’s why security controls exist.
Take access controls, for example: they are reasonably easy to set up and rarely interfere with an employee’s ability to work, but prevent crooks from accessing an organisation’s entire systems when they break into an account. Instead, the crook can only view information that is relevant to the job role of the employee whose credentials they’ve stolen.
Similarly, staff awareness training reminds employees of the steps they should take to stay secure. The courses might be tailored to policies and processes the organisation has in place, address specific risks (like phishing and ransomware) or provide guidance on regulatory requirements.
Whatever the courses’ aims, their content is relevant to all staff. From entry-level employees to executives, everyone who accesses privileged information is at risk of being targeted by an attack or otherwise breaching the data.
Verizon’s 2019 Data Breach Investigations Report, which was released last week, noted that compared to 2017, senior employees are 12 times more likely to be sent phishing emails than lower-level employees and 9 times more likely to fall victim.
‘Do as I say, not as I do’
The other reason to be disheartened by McAfee’s report is that its findings could dissuade other employees from following cyber security controls: “If my boss can’t be bothered to go to training, why should I?”
One of the biggest problems when it comes to organisational resilience is making employees understand that security is everybody’s responsibility. Take password creation. Most people know the dos and don’ts of passwords but still fall into the same trap of convenience, blindly assuming that their account won’t be hacked.
And maybe they’re right. In an organisation that employs 50 people, there’s a very small chance that a crook will target that employee in particular. But if everyone takes that attitude, everyone will have a weak password and it therefore doesn’t matter who the crook targets.
That’s why senior management needs to lead by example. They are responsible for creating a culture of security, and can go a long way to achieving that goal simply by demonstrating that they also follow the rules. After all, who wouldn’t turn up to a mandatory staff awareness training course if they knew their boss was going to be there?
Are your security measures working?
As McAfee has shown, while organisations often do the hard work in implementing the necessary controls, they are let down by their inability to see their plans through. For a cyber security plan to be effective, you must be confident that everyone it applies to is following the rules.
Get your employees on board with your cyber security plan by equipping them with the tools to understand your organisation’s information and compliance risks.
Interactive e-learning courses are a time- and cost-effective way to educate staff on key organisational issues in a structured manner. The Information Security and Cyber Security Staff Awareness E-Learning Course teaches staff the basics of data security, information security risks, cyber security risks and dealing with threats.