FRED TANNEAU/AFP/Getty Images
show image

GlobalData Technology

Providing actionable insight into the technology industry

Why cyber security training must start at the top

Cybercriminals are increasingly targeting the top, seeking out C-level executives who have access to the most sensitive company information. And that data, increasingly in the cloud, is more vulnerable than ever.

According to the Verizon 2019 Data Breach Investigations Report issued in May, based on a survey of 41,686 security incidents and 2,013 confirmed breaches from 86 countries, senior executives are 12 times more likely to be the target of security incidents and nine times more likely to be the target of security breaches than in previous years. Financial motivation was the most important reason for breaches, accounting for 12 per cent of all breaches.

The security report signals that hackers are recognising something important: C-level executives may be the most likely to allow the hackers in. According to the Verizon report, senior executives – who are typically short on time, under pressure to meet various operating or financial targets, and not fully aware of the growing cybersecurity threat – are unintentionally letting hackers on to enterprise systems.

Once they get in, it’s off to the races. That’s because top executives tend to have the highest level of access to sensitive corporate data, and this is exacerbated by the fact that lower-level staffers are reluctant to question even unusual activity if it is coming from the bosses.

The Verizon report also points to the growing trend of sharing and storing information in the cloud, which exposes companies to new levels of threat. One particular challenge: cloud-based email accounts are more vulnerable to stolen credentials than in-house email accounts. In addition, sloppy errors related to storing data in the cloud have led to the accidental exposure of 60 million records.

The threat level is rising in several areas, including ransomware, cyberespionage, and web application breaches. The good news is that, once the US FBI Internet Crime Complaint Center (IC3) gets called in, most US victims can recoup most financial losses from data breaches. However, the bad news is that the IC3 doesn’t get involved until after a breach. Given the inevitable operating disruptions and potential damage in customer trust, it is clear companies must do a better job implementing cybersecurity best practices – and the training must start at the top.

GlobalData is part of the same group as NS Tech