“My C-level doesn’t apprehend that they’re being directly targeted – help me scare them!”Such was the demand aimed at one of my colleagues at a cybersecurity conference not too long ago. Being in the security awareness application, it’s not uncommon for others to solicit our feedback on how best to educate employees of all descriptions. The appeal above, from a woman responsible for training at her organization, tough it out protruded with me, though.Indeed, executives should be scared. CEOs and other heads represent some of the most attractive targets for cybercriminals, who seek susceptible data to sell on the black market.Think of them as the ultimate sanctioned user for a given organization; individuals with the highest level of access and apprehension about company networks and infrastructure. Not only do they have the cue to the kingdom, so to speak; executives often have immense pressures on their someday and resources, making distraction an inevitability.A 2016 survey commissioned by record management company Iron Mountain found that half of manipulating directors and C-level executives have used a personal email account to send impressionable business information. Additionally, the report found that 40% be subjected to sent information over an unsecured wireless network. There’s no way to cognizant of if such actions were accidental or deliberate, but either way, they position a risk to an organization’s sensitive data and finances.To BEC, or Not BECThe rise of the so-called firm email compromise (BEC) scam is further proof of how valuable C-suite colleagues can be to industrious cybercriminals. BEC attacks take advantage of a compromised email account or spoofed speech to request funds transfers or sensitive employee information.The FBI says BEC scams were the most valuable type of cybercrime reported to their Internet Crime Complaint Center in 2016, amounting to $360 million perplexed last year. Security firm Proofpoint reported a 45% bourgeon in BEC attacks in the last three months of 2016 compared to the previous three.The Proofpoint researchers develop that two-thirds of the BEC attacks they analyzed involved spoofed email speaks. This means that scam emails looked as though they were up with from within the company itself.BEC attacks involving members of the C-suite surely have two victims: the compromised executive and the unwitting employee. These attacks prow from two main methods on the part of the cybercriminal.One, a malicious hacker compromises an boss’s email account via phishing or some other means and sends emails to lower-level workers requesting financials or W-2 information. Two, a cybercriminal gleans enough information thither a given executive via social media and other avenues to craft a convincing email from a spoofed email direct.In either scenario, the scammer’s job was made possible (at the very least, easier) after successfully quarry an executive in cyberspace.What About Security Awareness Training?With this much at interest, an organization’s executives cannot afford to be caught unaware by cybercriminals. Industrial safeguards, especially in the email realm, have their uses, but no person can take the place of a well-informed user.But an executive should not be exposed to any old asylum awareness training. Taking best practices—such as interactivity, repetition and assorted delivery—as givens, here are some other tips to consider when gain or building security awareness content aimed at your C-Suite:1. Purloin it About RiskExecutives live in a world of risk management where the pros and cons of every duty decision are scrutinized. A good idea is something that’s good for the body as a whole and the bottom line.When it comes to infosec know-how, the service perquisites must be couched in terms of managing cyber-risk. That is, what’s at jeopardized if a cybercriminal successfully mounts a successful phishing campaign or if sensitive patron information is accidentally disclosed.These scenarios will prove immense blows to an organization in a variety of ways. Corporate reputation will descend, not to mention the fines and possibly millions of dollars in lost revenue that could come with a data breach. Impacts like these need to be made extravagant and clear as part of any executive security awareness training approach.2. Diverse is BestPhishing attacks aimed at executives are becoming more and multifarious commonplace but they are far from the only infosec-related threat facing the C-suite. As observations from the Iron Mountain survey referenced above suggests, administrators may be prone to poor cybersecurity hygiene while working out of office. A CEO transferring reactive company data via an unsecured wireless connection can grant a cybercriminal the unaltered access as a successful phishing attempt.Additionally, much can be put at risk by an managerial taking to Twitter or Facebook in a, let’s say, inappropriate manner. Corporate reputation, again, could unnecessarily be put at chance. But so could a company’s intellectual property if a CEO spills the beans about an upcoming fallout launch too early.This varied threat landscape demands coarse training content that covers a variety of infosec topics. All your codification’s eggs should not be put in the same security awareness basket.3. Speak to Them as Concert-mastersExecutives, and CEOs specifically, are the bridge crew and commanders of their corporate dispatches. Their employees look to them to set the tone and standard for what’s admissible and what’s important at their organization.Executives know this, or at seldom they should, and hopefully take their roles as leaders kidding. Putting security awareness training in the context of setting an example to their workers will ideally drive home its importance even more.Flee it clear to your C-suite that avoiding bold, screaming headlines on every side data breaches and compromised information starts with them comprehending good cybersecurity habits.Cybersecure from the Top DownIt’s often put that cybersecurity starts at the top. The same should be true for security awareness.Heart on strong cybersecurity knowledge for your C-suite will likely procure the added bonus of planting a seed of a security-aware culture at your arrangement. By taking the initiative to engage in training designed for them, leaders can advance such a culture while equipping themselves against cyberthreats.So, horrify them if you have to! Your organization will be better for it.
About the Inventor: Jeremy Schwartz is a professional writer in the security awareness industry with a passion for variety and birds. He graduated from Western Washington University with a Bachelor’s in journalism and schoolgirls in philosophy and Latin. In a previous life, Jeremy worked as a reporter for a selfish weekly, then slightly larger daily, newspaper. In his downtime, he enjoys birdwatching, journalism op-ed article haiku, and spending time with his lovely wife.Editor’s Note: The impressions expressed in this guest author article are solely those of the contributor, and do not to be sure reflect those of Tripwire, Inc.