Getting regular employees to obey IT’s security policies is tough enough. But things get even more difficult when dealing with executives – who, as it turns out, are making plenty of security mistakes on their own.
Users are to blame for a large portion of the data breaches and other IT security incidents companies have to deal with. And specifically, it’s companies’ executives who make a lot of the mistakes that put data at risk, according to a recent study from ThreatTrack Security.
To a point, that finding makes sense. After all, execs are the ones who have access to the most sensitive information, so they’re frequently targeted by attackers.
However, executives also add to the trouble by committing several big security errors and ignoring key IT policies, according to ThreatTrack. Whether due to ignorance or bad intent, the 200 IT pros surveyed have had to clean up a lot of messes thanks to their company’s execs:
- 56% have had to clean malware off an exec’s computer because the person clicked on a malicious link in a phishing email
- 47% have had to remove malware because an executive connected an infected USB drive or smartphone to a PC
- 45% said executives have let family members use their work computers and other devices, which lead to a malware infection
- 40% have had to handle a malware infection after an executive browsed pornographic websites, and
- 33% have dealt with executives who installed a malicious application on a company computer.
Incidents kept secret
One lesson for IT: Stop covering up for misbehaving execs.
Among the IT pros surveyed, 57% said they’ve investigated or responded to a breach that the company ended up not disclosing to customers, partners or other stakeholders. Often, that was because the breach was caused by an executive’s actions.
Of course, holding those folks accountable is easier said than done when you’re talking about the people with all the power. But many IT departments could do a better job explaining to executives that information security is their responsibility, too.
The key: Offer security training tailored to executives.
Beyond explaining all of the costs associated with data breaches, here are some steps IT can take to sell security training to company executives:
1. Make it exclusive
Often, executives shun security training because they believe they shouldn’t be treated the same as every other employee. IT can turn the tables by showing them that they are different — and that cyber criminals will view them differently, too.
Instead of having executives sit in on a general training session, it could have more of an impact if they get their own sessions focused on the threats they’re most likely to face.
2. Get an ally
Finding an ally in one of the company’s executives is important for getting the security message through to any users — but it’s even more critical when the users are other executives.
In many cases, the best person to target is the CFO — after all, security attacks can be a huge drain on the company’s bottom line, so that can be used to get the top Finance exec on board.
3. Give them a test
Even more so than other users, executives might think they don’t need security training because they already know everything.
One good way to get to past that attitude is to test their IT security knowledge with a quiz beforehand. That will also help IT choose what to focus on during the training.