Why Security Awareness Training Should Begin in the C-Suite

It's not just the rights and privileges that CXOs have on the network. They can also set an example of what good security hygiene looks like.

Ashley Rose, CEO and Co-Founder, Living Security

January 11, 2022

4 Min Read
Source: jirsak via Adobe Stock

Cybercriminals aren't only targeting your employees; now they're also after the C-suite. The number of reported data breaches continued increasing exponentially this year, up 17% from 2020. Even more alarming is that a growing number of these attacks are aimed at high-level accounts. Business email compromise scams that are skillfully crafted to trick even the savviest of victims are on the rise, resulting in losses of $1.8 billion in 2020, according to the FBI's Internet Crime Report, and reaching unprecedented levels since. Account takeover attempts rose a staggering 671% in the third quarter of 2021, according to a study by one cloud email security provider.

Business email compromise attacks can be particularly damaging when they reach the C-suite because of the added privileges typically associated with these accounts. These executives are generally trusted with a company's most sensitive information and their communications are trusted. Think of the implications, for example, of a cybercriminal gaining access to the CEO's email account and sending a fake invoice directly to the CFO who in turn sends money to a linked bank account.

This poses a unique challenge for security professionals who are tasked both with properly securing sensitive accounts and also educating executives on these attacks. Traditionally, security awareness training has focused heavily on company employees, who still remain one of the primary gateways to an enterprise's security network. However, the rise in business email compromise and social engineering attacks reinforces the fact that even the CEO needs training. 

Creating an effective security awareness plan at the executive level requires different tactics to overcome roadblocks. Here are four tips to get you started.

Secure By Example
Since security culture is built from the top down, remind executives that they are examples for the rest of the company. As such, they have an important role in modeling positive cyber-hygiene habits for the entire organization. They're the most prominent employees, and if they aren't following the rules it's more difficult to expect anyone else to. Cybersecurity training can be difficult in the C-suite because they're more apt to think they can make exceptions, especially when it comes to things like using personal devices for work purposes. They need more reminders that if they want to keep the company secure, they need to lead by example.

Use Real-World Scenarios
Educate executives on the very specific threats that they are likely to face. Social engineering attempts are getting more elaborate. Prepare the C-suite with interactive, training exercises that force them to work through a series of real-life scenarios. In particular, they should work on things such as identifying misspellings, syntax issues, and misplaced characters that could indicate a phishing email. It should also be reinforced that urgent requests, even from the CEO, should be verified and anything that seems suspicious flagged for the security team.

Don't Forget About Personal Devices
With the rise in remote work, employees pose a potential risk every time they walk in the office and reconnect their laptops to the company network, and that includes the CEO. The use of VPNs when working remotely should be encouraged for every employee. However, cybercriminals can just as easily target C-suite executives through their personal email accounts and even social media. All employees should be encouraged to only log in to work accounts from their company-issued devices and should keep their personal devices for private accounts. C-suite executives should also receive the same education as the rest of the team when it comes to choosing complex passwords that are unique to each account to prevent a breach.

Speak the Language of Risk
Get buy-in by speaking the C-suite's language. CISOs often find it difficult to receive buy-in from other executives on cybersecurity initiatives because it seems like an intangible investment. The key to getting company executives to sit up and pay attention to cybersecurity and security awareness training is proving the return on investment. That's difficult when no one knows if they'll be attacked, but every business leader should assume their business will be a target at some point. Just one attack could cost tens of millions of dollars, and prevention is much cheaper. Security breaches represent a direct financial risk to any business. Quantifying the cost of human risk and demonstrating the return on investment that executives are likely to see if they spend on training will make them more likely to get on board, and follow the rules.

In today's increasingly digital world where so many are working remotely, keeping the C-suite risk-free is paramount to keeping the entire company secure. Start now with a plan to educate executives on the growing threats, emphasizing that the company's financial well-being depends on their positive cyber hygiene.

About the Author

Ashley Rose

CEO and Co-Founder, Living Security

Ashley Rose is the CEO and co-founder of Living Security and is passionate about helping companies build a positive security culture within their organizations. An adaptable problem solver, Ashley is thoughtful and transparent in her approach to running the company and working with clients toward a singular goal: reduce risk by making people a security asset instead of a liability. Ashley has a bachelor's degree in business administration from the University of Michigan and is a serial entrepreneur with experience designing and managing product lines. After launching her career in the tech industry, she became intrigued by cybersecurity and its accelerating impact on organizations, individuals, families and communities. Ashley co-founded Living Security based on a philosophy that empowering people is the best approach to lasting security awareness and breach prevention.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights