CEOs: The weakest link in cybersecurity

As organisations continue to grapple with the unsettling news that their business is constantly at risk of falling victim to a cybercrime, it’s important they look both internally and externally at what may potentially be the source of cyber security attacks.

The blame has traditionally always fallen on not having the latest security systems in place. However, the July to September quarterly Notifiable Data Breaches report released by the Office of the Australian Information Commissioner in 2018 showed that human error remained a major source of breaches, accounting for 37 per cent of data breaches during the period.

These human errors included sending emails to the wrong recipient and unintentionally releasing company information. It’s often considered these errors are due to the action of employees, however your company CEO is not infallible. After all, CEOs are humans too.

The CEOs that are adopting the optimal cyber security stance are the ones that recognise their businesses are just as likely to be targets for cyber‐attacks as big banks and government agencies, and they could potentially be the reason for it.

They’re also business leaders that can appreciate that much of their intellectual property is generated from customer data. They must persistently protect their social contract with consumers to protect that data or risk their wrath if they’re negligent.

In many cases we’ve found that many Chief Information Security Officers (CISO) and other IT leaders attempt to work through CEOs and board to push cyber security awareness through organisations from the top down.

One of the biggest challenges is that CEOs face large blind spots in their understanding of cyber security threats. They need to move rapidly to keep up with their regular responsibilities and the cyber security threats that are moving too quickly for them to keep abreast of it all.

It’s not considered the CEO’s job to be able to spot every new kind of scam and attack but leading the organisation on staff training and education is a powerful practical measure against breaches. Taking this proactive approach of sending a strong message about the organisation’s stance on cyber security can build a ‘human firewall’, which can act as a new layer of defence and resilience on top of any other security mechanisms that are already in place.

Unfortunately, in many cases Australian CEOs are not are not earning top marks for their cyber security strategies. A recent Vanson Bourne survey commissioned by cloud email security specialist Mimecast revealed that 44 per cent of respondents believed that their CEO was the weak link in their cyber security operation. Furthermore, only 28 per cent of organisations said that they had adopted a complete cyber resilience strategy.

However, perhaps the most alarming statistic to surface from the survey — particularly when considering the wider prospects for cyber security awareness among Australian businesses — is that in 51 per cent of cases organisations believed that their CEOs was unable to protect his or herself from a direct attempt at a cyber‐attack.

These attacks are often less technical in nature and involve some sort of attempt at electronically delivering fraud to compromise business systems through email.

In recent years hackers have begun to realise that, rather than pouring huge amounts of resources into thwarting high‐tech security systems or discovering zero‐day security bugs in software, it can be easier to use social engineering to exploit human weakness to pull off a scam

For instance, an attacker might use LinkedIn to extensively research a company and its executive team in order to support a rouse, such as posing as one of its suppliers and sending an email requiring them to change bank payment details. Alternatively, they might adopt an authoritative email tone and pose as the CEO and trick an employee to click on a malware link in a phishing attack message to gain control of company systems. Such cases go to show that while CEOs may be victims, they are also often the face of impersonation attempts.

It’s by no means a certain indication of the scale of the loss businesses face, but its notable that the Australian Competition and Consumer Commission (ACCC) in 2018 urged businesses to review how they verify and pay accounts and invoices. The ACCC also reported that scams involving email contact totalled $2.8 million in losses. Email remains, and will continue to be, mission and business-critical, proving to be a common attack vector for cybercriminals.

The financial cost to business is likely to be hugely underreported due to confidentiality considerations. However, the financial cost is only part of the damage. Most investment in cyber security is driven by fear of reputational damage but businesses often forget the damage to staff morale — either because the damage or obligations to work harder to recover from attacks.

Companies big and small that take protecting their reputations and operations seriously are those with leaders that take responsibility for the business’ culture, including organisational cyber security awareness.

Nick Lennon is Country Manager for Mimecast, which provides advanced security, continuity and archiving cloud services for business email.