30 Days of Compliance Q&As #22: My CEO Is My Biggest Security Threat – What Should I Do?

I recently read a study from Threat Track Security called Malware Analysts Have The Tools To Defend Against Cyber-Attacks, But Challenges Remain.

Interestingly, this study discovered that one of the biggest security threats comes from the corner office.

How could this happen? How could your executives make your organization less secure?

When I ran network and security operations at previous organizations we were told by CXO’s to hold executives to lesser standards than were required from the rest of the users on the network. Executives did not want to be bothered with potentially being blocked from going to web sites that were business related, so we made exceptions for all executives by not blocking or monitoring their web traffic. By not monitoring what websites they are visiting, they can’t be held accountable to the company’s acceptable use policy.

I also observed that sometimes executives had excessive system and file access rights on the network; these were not limited to a “need to know” basis.

By holding executives to a lesser security standard, companies open the door for hackers to gain access to your organization, take advantage of executives’ excessive file and system access to steal all types of information.

According to the study, 56% of the malware analysts have had to remove malware from their executives’ PCs after those leaders infected their own devices by clicking on a malicious link in a phishing email.

Another 47% said they have removed malware from a PC because of an infected USB drive or a smartphone that a senior executive attached to the PC, and 45% of the malware analysts said senior execs have let family members use company-owned devices that led to malware infection.

And then there’s the porn. Almost 40% of malware analysts said they’ve removed malware from senior executives’ devices after those leaders visited an infected pornographic website.

 

Educating Your Executives

We need to educate everyone in the company, especially the executives, about the policies and procedures that are in place to safeguard and protect the organization. Executives should remember that they could be financially responsible if compliance mandates are not adhered to.

When infractions occur from misuse (such as when executives allow spouses or children to the use of the company laptop) or violations of your company’s acceptable use policy (going to porn sites), CXOs and human resources should step in and address the issue immediately. Most of the time, a participation in a mandatory Acceptable Use Training corrects the behavior.

If you are responsible for the compliance mandates in your organization you should verify that EVERYONE is treated the same way. All policies and systems that monitor the network must be set up to monitor and alert ANY and ALL violations – not just a subset of users – in order to truly be safe and compliant.

 

 

 

Authors

Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone

Try AccelOps FREE for 30 Days

 

Get a Live Product Demo

 

Tags

cloud security big data RSA analytics compliance Q&A PCI DSS HIPAA Sarbanes Oxley (SOX) Target breach

About Accelops

AccelOps provides the leading IT operations analytics platform for the modern data center. The virtual appliance software monitors security, performance and compliance in cloud and virtualized infrastructures – all from a single screen.

 

AccelOps automatically discovers, analyzes and automates IT issues in machine and big data across organizations’ data centers and cloud resources, spanning servers, storage, networks, security, applications and users. AccelOps’ patented analytics engine with cross-correlation and statistical anomaly detection sends real-time alerts when deviations occur that indicate a security or performance-impacting event.

 

The AccelOps platform scales seamlessly and provides unmatched delivery of proactive security and operational intelligence, allowing organizations to be more responsive and competitive as they expand their IT capabilities. 

Keep Social