Top executives — the employee group most targeted by threat actors — are frequently provided unfettered access to valuable data sources and networked assets, according to Ivanti.
Executives access unauthorized work data
While 96% of leaders say they are at least moderately supportive and invested in their organization’s cybersecurity mandate, the reality is that 49% of CXOs have requested to bypass one or more security measures in the past year.
Although security leaders are aware that high-access executives present a unique security threat, the research reveals that executive security exceptions and low-risk time-savers lead to outsized organizational risks.
The report identifies several executive cybersecurity habits and behaviors that security professionals need to be aware of:
- One in five leaders have shared their work password with someone outside the company.
- 77% use easy-to-remember password hacks, including birthdates or pet names.
- CXOs are three times more likely to share work devices with unauthorized users, such as friends, families and external freelancers.
- One in three executives admit to accessing unauthorized work files and data, and nearly two in three say that they could have edited those files/data when accessing them.
Security professionals might excuse poor executive cybersecurity hygiene
Moreover, the report highlights a critical issue of trust and communication between executives and the security teams responsible for protecting them. Executives reportedly are two times more likely to say their past interactions with security were ‘awkward’ or ‘embarrassing’ when sharing security concerns.
This leads to executives being four times more likely to resort to external, unapproved tech support. To address this, the report emphasizes the importance of rebuilding trust and fostering a collaborative relationship between security teams and executives based on honesty and friendly support, rather than condemnation or condescension.
“Due to limited bandwidth, security professionals might excuse poor executive cybersecurity hygiene and underestimate the risk they pose. However, based on our findings, there is a need to spend extra care securing this group,” said Daniel Spicer Chief Security Officer at Ivanti. “With an uptick in tailored executive phishing, the focus should be on instilling a positive security culture and winning greater executive compliance through compelling education and collaborative insights.”
The report outlines steps businesses and security professionals can leverage to close the executive conduct gap including conducting audits, prioritizing remediation for the most common risks, conducting gamified security training sessions, and implementing “white glove” security programs.