In recent years, it has become conventional wisdom that corporate employees pose the greatest threat to companies’ cybersecurity. A recent survey by IT security provider Ivanti indicates that senior executives need to recognize that they may be an even greater cybersecurity threat to their own companies’ cybersecurity.
In its December 13 State of Security Preparedness 2023 study, Ivanti surveyed 6,500 executive leaders, cybersecurity professionals, and office workers. Some of the study’s most concerning findings pertained to behaviors by professionals such as CEOs, vice presidents, and directors:
- More than one-third of surveyed leaders had clicked on a phishing link — four times the rate of other office employees
- Leaders (one out of four) were much more likely than employees to continue to use the same passwords for years rather than updating them regularly;
- Nearly one in four leaders “use easy-to-remember birthdays as part of their password.”
- Leaders were “five times more likely to share their password with people outside the company.”
- More than 1 in 3 leaders “have fallen victim to phishing scams, either by clicking a scam link or sending money.”
While 73 percent of security professionals and leaders reported that their organizations were planning to increase their cybersecurity budgets in 2023, and 74 percent of security professionals stated that they budget for security breaches, other responses about the actual state of organizations’ cybersecurity were more concerning:
- Only 52 percent of leaders and security professionals responded that “they have ‘high visibility’ into every user, device, application and service on their network.”
- 45 percent of security professionals said that “they either suspect or know that former employees and contractors still have active access to systems or files in the form of still-active usernames, passwords and login information.”
- Although 92 percent of security professionals said that “they have a method to prioritize which vulnerabilities to patch”, “when asked which types of patches are prioritized, security professionals tell us all types rank high — meaning none do.”
In addition, Ivanti asked 1,356 executive leaders and security professionals whether they would be willing “to wager a chocolate bar” on the cybersecurity protections their organizations have in place. Even though 97 percent of security professionals and leaders surveyed said that “their organizations are as prepared or more prepared today than one year ago”, 20 percent would not wager a chocolate bar on their cybersecurity.
Information security officers should include details of the Ivanti report in briefings and training materials, and not only for their own teams or mid- and lower-level employees. As the report recommends, “organizations need to develop customized training curricula and tech interventions for CEOs and other high-level executives.” As business email compromise schemes are projected to continue to grow through 2027 at a compound annual growth rate of nearly 20 percent, it is incumbent on senior executives to model proper cybersecurity behavior consistently to subordinates and each other. Failure to do so can have disastrous results for their companies – and for their continued employment.