30 Days of Compliance Q&As #22: My CEO Is My Biggest Security Threat – What Should I Do?

I recently read a study from Threat Track Security called Malware Analysts Have The Tools To Defend Against Cyber-Attacks, But Challenges Remain.

Interestingly, this study discovered that one of the biggest security threats comes from the corner office.

How could this happen? How could your executives make your organization less secure?

When I ran network and security operations at previous organizations we were told by CXO’s to hold executives to lesser standards than were required from the rest of the users on the network. Executives did not want to be bothered with potentially being blocked from going to web sites that were business related, so we made exceptions for all executives by not blocking or monitoring their web traffic. By not monitoring what websites they are visiting, they can’t be held accountable to the company’s acceptable use policy.

I also observed that sometimes executives had excessive system and file access rights on the network; these were not limited to a “need to know” basis.

By holding executives to a lesser security standard, companies open the door for hackers to gain access to your organization, take advantage of executives’ excessive file and system access to steal all types of information.

According to the study, 56% of the malware analysts have had to remove malware from their executives’ PCs after those leaders infected their own devices by clicking on a malicious link in a phishing email.

Another 47% said they have removed malware from a PC because of an infected USB drive or a smartphone that a senior executive attached to the PC, and 45% of the malware analysts said senior execs have let family members use company-owned devices that led to malware infection.

And then there’s the porn. Almost 40% of malware analysts said they’ve removed malware from senior executives’ devices after those leaders visited an infected pornographic website.

Educating Your Executives

We need to educate everyone in the company, especially the executives, about the policies and procedures that are in place to safeguard and protect the organization. Executives should remember that they could be financially responsible if compliance mandates are not adhered to.

When infractions occur from misuse (such as when executives allow spouses or children to the use of the company laptop) or violations of your company’s acceptable use policy (going to porn sites), CXOs and human resources should step in and address the issue immediately. Most of the time, a participation in a mandatory Acceptable Use Training corrects the behavior.

If you are responsible for the compliance mandates in your organization you should verify that EVERYONE is treated the same way. All policies and systems that monitor the network must be set up to monitor and alert ANY and ALL violations – not just a subset of users – in order to truly be safe and compliant.