It’s been impossible to ignore the media reports about rules being followed — or, more importantly, not followed — by our leaders. This demonstrates that those in a privileged position may believe they can circumvent guidelines and regulations designed to keep people safe.
Politics aside, there are parallels between recent events and how some organisations address cyber security. Firms boasting a proactive cyber security programme will undoubtedly have noticed — and may already be frustrated by — the time and productivity impacts of safeguards such as multi-factor authentication (MFA). MFA may be an essential defensive precaution, but some staff spend 15 minutes entering codes in the morning before they can even start work.
For a senior executive or business owner, the situation is even worse. Not only must they provide reasonable spending budgets to pay for these new security measures, but their workforce becomes less productive as a result of their implementation. Given this, we can perhaps forgive senior decision-makers when they decide they need to exempt themselves from the rules they perceive to be too costly for their organisation.
However, as Bruce Penson, managing director at cyber security strategy and IT support company Pro Drive IT, points out, this is a dangerous approach and one that could be creating a culture of risk in organisations.
Targeting senior leadership
It’s unavoidable that improving cyber security will impart some level of burden on staff, which will become a problem if, as a senior leader, you decide the rules do not apply to you.
Ultimately, cyber criminals know that senior executives have the most extensive access and are often not as well-protected as other staff within an organisation. These individuals possess the most useful passwords for banking accounts, financial systems and other intellectual property. Therefore, they’re a potential goldmine of business data, which makes them both an attractive and easy target — one that criminals will go out of their way to target directly.
Business owners and C-level executives have well-connected networks and often display details of their activities and business profile publicly. Even if a criminal can’t steal directly from them or their firm, if they get access to communication systems such as email or social media, they can easily dupe this contact base into disclosing passwords or financial details.
Plus, weak cyber protection presents an even greater risk to SME businesses where senior leadership is often in direct contact with clients. In sectors such as finance, law or accountancy, senior staff may manage their company’s largest clients and regularly exchange private and sensitive information in the process. If one of these accounts is compromised, or if an attacker carried out an impersonation campaign on them, they could inflict damage on the company’s biggest clients.
Disregarding cyber security best practices could provide the perfect weak link for hackers to exploit and put both a company and its clients at significant risk. So, senior leadership should ensure they’re observing and conforming to the same security guidelines and protocols as anyone else in their business — and are seen to be doing so! Just like Gandhi, perhaps the most famous of all leaders, once said: ‘Man becomes great exactly in the degree in which he works for the welfare of his fellow men’.
Prioritising cyber security
Most of the processes businesses implement from a security perspective have a negative effect on staff productivity; that’s the trade-off business leaders must take to keep their systems secure. But when employees see that senior leadership doesn’t prioritise these processes or follow cyber security best practices, they’re unlikely to either.
An IT security audit will clearly show the risks created by a senior team culture that lacks security-consciousness. Frequently, these individuals have elevated access privileges, such as approving large payments and setting up new accounts — the kind of access a criminal is always hoping to find, as it’s an easy way for them to steal money. As such, senior leadership should make sure they don’t have access to accounts unless it’s absolutely necessary.
For example, most senior employees probably won’t need access to admin accounts. In fact, people with the most seniority should minimise their access accounts to make them less of a target. Enforcing the least privileged access approach to cyber security within a broader identity and access management strategy can reduce the breach threat C-suite level profiles pose to other business systems.
Leading by example
Without addressing the cultural aspect of cyber security on a company-wide level, investments into software and the efforts of IT departments will go to waste. It’s easy to approach an IT services provider and purchase the latest defensive software. But in reality, improving security within an organisation relies on its cultural approach to IT security. The bottom line is that if senior staff don’t appear to care about cyber security, the business simply won’t be secure.
C-level staff are no strangers to leadership; it’s their primary role. So, as senior employees set the standard throughout an organisation, they must also lead by example regarding cyber security. After all, with the threat landscape worsening and the reputational, financial and legal cost of a data breach increasing, what business can afford to risk inviting a cyber attack in the modern world?
Bruce Penson, Managing Director at Cyber Security Strategy and IT Support Company Pro Drive IT
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.