There is currently a lot of talk in the media about people following or not following rules they have set. And an underlying feeling amongst some that those in a privileged position appear to believe that rules for the wider population do not apply to them. It’s not my intention to make any commentary on the political landscape (and I am sure you have heard enough of it anyway) but I wanted to draw some parallels with how cyber security is addressed in some organisations.
Those of you working in an organisation with a proactive cyber security programme will probably have noticed that many of the new safeguards introduced have some kind of time impact – certainly they almost never make it easier to do your job! Multifactor authentication is a classic example. We are all told it’s essential we are using it yet some staff are spending 15 minutes entering multifactor authentication codes in the morning (this author included) before they can even start work.
As a senior executive or business owner, the situation is even worse – you have to spend money to pay for the new measure AND your workforce becomes less productive. So maybe you can forgive those very senior people when they decide they need to exempt themselves from cyber security rules as they are costing the business the most money and reducing their productivity could potentially hurt the business the most?
Unfortunately, it does not work like that. Here is why this approach is so dangerous.
Most attractive target
Senior people in an organisation are by far the most attractive target for a cyber criminal. Often they are in possession of the most useful passwords – such as access to banking, financial systems or valuable intellectual property. Frequently this access has elevated privileges too – for example, approving large payments and setting up new payments. This is the kind of access a criminal is looking for as it’s an easy way for them to steal money.
Also, business owners and C-level execs have very well connected networks and often have details of their activities and business profile on public display. Even if a criminal cannot steal directly from them or their firm, if they get access to communication systems such as email or social media, they can easily dupe this contact base into disclosing passwords or financial details.
Leading by example
C-level staff are no strangers to leadership – it is after all their main role in an organisation. You lead your organisation by example and by doing this well you expect others to adopt and practise your values. This applies to cyber security as well.
As we have already established, improving cyber security will impart some level of burden on your staff. This will become a problem if, as a senior leader, you decide the rules do not apply to you. And you will be putting the jobs and income of those people at risk by the culture you are creating – leading to more risk in your business. To quote Gandhi, perhaps the most famous of all leaders, “Man becomes great exactly in the degree in which he works for the welfare of his fellow men.”
An attractive target
Ultimately cyber criminals know that senior executives have the most valuable access and are often not as well protected as other staff within an organisation. This makes them both an attractive and easy target – and so they will go out of their way to directly target them. Meaning that they are a major risk to the business. As responsible leaders it is critical that they act now to change their habits.
An IT security audit will clearly show the risks created by a lack of a security-conscious culture in your senior team. Get in touch now to find out more. Contact us on the form below or by calling 0330 124 3599 and we’d be pleased to help.