A recent survey from the UK Government, “Cyber resilience captains of industry survey 2021” has some interesting insights into the awareness of cyber security risks at the C-Suite and board level of an organisation.
The survey found that almost all respondents see the board incorporating cyber risk considerations into wider company affairs. However, the report caveats this with the following warning:
“Captains still feel there is more that can be done to equip Board members to deal with cyber threats. Captains most commonly mentioned awareness raising among board members and targeted training”
The C-Suite and board are specific groups that require tailored training to meet their unique needs. Here are some ideas for creating a security awareness program for your C-Suite.
Why Train the C-Suite?
The people that work in the C-Suite are influential in their company.This influence is vital in helping to deliver consistent, effective security awareness across the entire organisation. Therefore, targeting this group in a security awareness campaign makes sense.
The ‘tone at the top’ is a well-known phenomenon in security risk management. This ‘tone at the top’ is highlighted in the handbook from the European Directors’ Association (ecoDa), which offers several key recommendations in risk mitigation in an era of voluminous cyber threats. One of the recommendations is to set the tone for awareness throughout the organisation – the report states this:
“The board and the management should set the tone at the top and develop the right culture and raise awareness to develop cyber resilience.”
The Components of a Targeted Security Awareness Program for the C-Suite
It’s noteworthy that the U.K. Government’s captain of industry report found that security awareness has hit the boardroom. However, the C-Suite and board members must be part of a general and targeted security awareness program. Building awareness at this level can cement the culture of a security-first mindset.
Here are the critical factors of an awareness campaign that focuses on a C-Suite:
Build the Tension with Risk
The C-Suite has many balls to juggle. The core business of a company must always come first. But, if this core business is placed at risk because of cyber threats, then a company must prioritise these threats.
Set the scene for the C-Suite training by showing the return on investment in delivering a Security Awareness Training program. Some figures that can help define this are found in the IBM and Ponemon Cost of a Data Breach report: the United Kingdom comes in as one of the highest countries for data breach costs, with the average being $4.67 million (£3.8 million) per breach.
Once you have the buy-in from your C-Suite, you can create the framework for an effective Security Awareness Training program that targets those at the top.
Carry Out C-Suite Role-Based Security Awareness Program
Cybercriminals are increasingly focusing efforts on individuals and roles in an organisation. This makes sense, as the more people are aware of security issues, the harder it gets to trick employees. However, if a hacker understands their target, they can create clever, hard to recognise, phishing emails. The C-Suite is in the sights of cybercriminals as they are the company’s financial heart and place of authority.
A C-Suite-focused attack happened to U.S. firm Scoular Co, which became a victim of Business Email Compromise (BEC). The firm lost $17.2 million to cybercriminals via three wire transfers after the fraudsters targeted the company’s CEO using spoof emails.
The Verizon 2021 Data Breach Investigations Report (DBIR) notes the importance of tailoring Security Awareness Training and concludes:
“There is no singular approach to minimizing the human risks that lead to breaches. Each corporation experiences different flavors of the same types of attacks and must customize their behavioral engineering and cyber security education programs accordingly.”
Design your Security Awareness Training around company roles and include the roles of the C-Suite. Focus on the types of attacks that target C-level staff, such as BEC and CEO impersonation.
Put the Social into the C-Suite
Cybercriminals who target the ‘big phish,’ such as the CEO and CFO, will find out about their prey. They do this as part of the social engineering chain that uses various techniques to manipulate behaviour.
One such tactic is to impersonate executives, also known as ‘whaling’ or ‘executive impersonation.’ One infamous example of this was a 2019 ‘deep fake’ attack, which spoofed the firm’s CEO’s voice to trick the U.K. Managing Director into sending $243,000 to the fraudster’s bank account.
This form of social engineering is surging, with a 131% increase noted in 2020-2021. These types of fraud rely on building up a profile of the target to provide the intelligence to perform social engineering.
Put social engineering awareness firmly on your security training calendar and train your C-Suite about their vulnerability in this area..
Spear-Phish the C-Suite
The C-Suite is at risk from spear-phishing attacks, which are a targeted form of phishing. A recent phishing email campaign used spoof Microsoft Office 365 emails to steal credentials. The campaign targeted C-suite executives and their assistants across many industries.
By Spear-phishing the C-Suite, a cybercriminal is going straight to the decision-maker in an organisation. Spear phishing works as the spoof emails are based on known intelligence about the target. The spear-phishers will often use the exact apps, like Office 365, that a company regularly uses.
Create a sophisticated simulated phishing campaign that is specifically aimed at your C-Suite. Use your knowledge of role-based phishing to create realistic-looking spear-phishing emails that target your C-Suite. Use an advanced simulated phishing platform that uses ‘point of need’ learning. This captures behaviour issues when they occur and gives the user information on what went wrong and why.
Know your C-Suite Through Security Awareness Training Metrics
Phishing simulation platforms such as MetaPhish, provide metrics in the form of a dashboard that displays data results from phishing simulations. This will give you feedback on how many of your C-Suite have clicked a link in a simulated phishing email. The reports can even show the device used to access the phishing email; this lets you further tailor and focuses your efforts on improving executives’ security behaviour.
Set the Tone for Security at the Top
Your executives working in the C-Suite are your internal influencers. But they need to be exemplars of excellent security behaviour to set an example to the entire workforce. Setting the tone for security at the top will encourage a security-first mindset. This security-first mindset is essential in creating a security culture and mitigating company cyber-risk.