Why Security Awareness Training Should Begin in the C-Suite

It's not just the rights and privileges that CXOs have on the network. They can also set an example of what good security hygiene looks like.

Cybercriminals aren't only targeting your employees; now they're also after the C-suite. The number of reported data breaches continued increasing exponentially this year, up 17% from 2020. Even more alarming is that a growing number of these attacks are aimed at high-level accounts. Business email compromise scams that are skillfully crafted to trick even the savviest of victims are on the rise, resulting in losses of $1.8 billion in 2020, according to the FBI's Internet Crime Report, and reaching unprecedented levels since. Account takeover attempts rose a staggering 671% in the third quarter of 2021, according to a study by one cloud email security provider.

Business email compromise attacks can be particularly damaging when they reach the C-suite because of the added privileges typically associated with these accounts. These executives are generally trusted with a company's most sensitive information and their communications are trusted. Think of the implications, for example, of a cybercriminal gaining access to the CEO's email account and sending a fake invoice directly to the CFO who in turn sends money to a linked bank account.

This poses a unique challenge for security professionals who are tasked both with properly securing sensitive accounts and also educating executives on these attacks. Traditionally, security awareness training has focused heavily on company employees, who still remain one of the primary gateways to an enterprise's security network. However, the rise in business email compromise and social engineering attacks reinforces the fact that even the CEO needs training. 

Creating an effective security awareness plan at the executive level requires different tactics to overcome roadblocks. Here are four tips to get you started.

Secure By Example
Since security culture is built from the top down, remind executives that they are examples for the rest of the company. As such, they have an important role in modeling positive cyber-hygiene habits for the entire organization. They're the most prominent employees, and if they aren't following the rules it's more difficult to expect anyone else to. Cybersecurity training can be difficult in the C-suite because they're more apt to think they can make exceptions, especially when it comes to things like using personal devices for work purposes. They need more reminders that if they want to keep the company secure, they need to lead by example.

Use Real-World Scenarios
Educate executives on the very specific threats that they are likely to face. Social engineering attempts are getting more elaborate. Prepare the C-suite with interactive, training exercises that force them to work through a series of real-life scenarios. In particular, they should work on things such as identifying misspellings, syntax issues, and misplaced characters that could indicate a phishing email. It should also be reinforced that urgent requests, even from the CEO, should be verified and anything that seems suspicious flagged for the security team.

Don't Forget About Personal Devices
With the rise in remote work, employees pose a potential risk every time they walk in the office and reconnect their laptops to the company network, and that includes the CEO. The use of VPNs when working remotely should be encouraged for every employee. However, cybercriminals can just as easily target C-suite executives through their personal email accounts and even social media. All employees should be encouraged to only log in to work accounts from their company-issued devices and should keep their personal devices for private accounts. C-suite executives should also receive the same education as the rest of the team when it comes to choosing complex passwords that are unique to each account to prevent a breach.

Speak the Language of Risk
Get buy-in by speaking the C-suite's language. CISOs often find it difficult to receive buy-in from other executives on cybersecurity initiatives because it seems like an intangible investment. The key to getting company executives to sit up and pay attention to cybersecurity and security awareness training is proving the return on investment. That's difficult when no one knows if they'll be attacked, but every business leader should assume their business will be a target at some point. Just one attack could cost tens of millions of dollars, and prevention is much cheaper. Security breaches represent a direct financial risk to any business. Quantifying the cost of human risk and demonstrating the return on investment that executives are likely to see if they spend on training will make them more likely to get on board, and follow the rules.

    In today's increasingly digital world where so many are working remotely, keeping the C-suite risk-free is paramount to keeping the entire company secure. Start now with a plan to educate executives on the growing threats, emphasizing that the company's financial well-being depends on their positive cyber hygiene.

    Editors' Choice
    Jai Vijayan, Contributing Writer, Dark Reading
    Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading