Complacency at a senior level

Vivek Dodd at Skillcast explores the silent cyber-security threat that could cost companies millions

 

Organisations must urgently address cyber-security complacency at the senior level, as leadership inaction poses a significant risk to data security and business integrity.

 

In today’s digital landscape, cyber-security threats pose a significant risk to businesses of all sizes. Organisations invest heavily in sophisticated security systems, employee training, and awareness programs. Yet alarming cyber-security trends persist, which could have severe consequences.

 

A recent survey conducted by compliance training provider Skillcast found that senior-level employees are three times less likely to report compromised passwords or suspicious IP addresses compared to entry-level staff, exacerbating cyber-security risks within organisations. 

 

This gap poses a substantial risk to companies because senior staff typically have access to more sensitive information, making them prime targets for cybercriminals. Reporting from employees at this level is crucial to mitigate risks as it allows businesses to make swift decisions and embeds a culture of proactive security.

 

Why are senior employees at greater risk?

Before you can look at how to encourage senior staff to take cyber-security more seriously, it’s important to first understand the factors that contribute to their increased vulnerability to cyber-threats.

 

Overconfidence and complacency are common factors. Many senior-level employees, with years of experience and a track record of accomplishments, may perceive themselves as immune to cyber-threats. This overconfidence often leads to complacency, where they mistakenly assume that cyber-security is an “IT issue” rather than a shared responsibility. 

 

These employees also often have access to sensitive information, including financial records, strategic plans, and intellectual property. Cybercriminals understand the value of this access and will target senior leaders through sophisticated attacks. 

 

The third reason that crops up most often is busy schedules, which can limit participation in cyber-security training. In contrast, entry-level staff may have more time for training and awareness initiatives. A lack of training means that senior-level staff may not be up to date on the latest threats, which makes them more susceptible to attacks. 

 

Consequences can be severe 

When senior employees fail to take cyber-security seriously, the consequences can be severe. The ramifications for the business could include: 

• Data breaches and financial losses: In 2023, the average cost of a data breach in the UK was £3.4 million. 
• Loss of competitive advantage: For companies that rely on private information, losing control over confidential data can jeopardise their competitive position. 
• Regulatory and legal penalties: Non-compliance with data protection regulations can expose companies to hefty fines. The largest fine issued in the UK during 2023 was a staggering £12.7 million. 
• Damage to brand: Public confidence in an organisation is likely to decline if customers and partners feel that the company is not doing enough to protect their data.

 

From passive participants to active defenders

A change in mindset is key to addressing the cyber-security gap among senior-level staff. The Chief Information Security Officer (CISO) has a unique responsibility to drive this change ensuring it becomes a shared responsibility across all levels of the organisation. 

 

Tailored training for senior leadership is key to this change in mindset. Standard programs may not resonate with senior leaders who have different needs and experiences compared to entry-level staff. Developing tailored training emphasising real-world consequences, using case studies and examples involving companies of a similar size is likely to see senior leaders take the training more seriously.

 

Hands-on exercises/activities that mimic real-world cyber-attacks are a good tactic as they can help staff better engage with the risks and consequences of cyber-incidents. Building tabletop exercises into training programmes allows executives to experience the pressure of responding to a breach in a controlled real-time environment.

 

Aligning cyber-security with the company’s strategic goals, highlighting the financial, legal, and reputation risks of not addressing the threat is another key action a CISO can take. When senior staff understand this, and begin to champion cyber-security, it sends a strong message to the entire organisation. 

 

All staff respond well to incentives. By integrating cyber-security objectives into performance reviews or offering bonuses for active participation in cyber-security programs, CISOs can motivate all staff - not just senior leaders - to be more vigilant. 

 

Finally, one of the most important actions a CISO can take that can make a significant difference is to simplify the reporting process. User-friendly tools and reporting channels that are clearly communicated remove major barriers to reporting helping to facilitate timely responses to cyber-threats.

 

Leading the change

By following these steps, the CSIO can help change senior employees’, and indeed the whole organisation’s perception of cyber-security from an IT issue to a business issue. 

 

The growing prevalence of cyber-threats means that no one can afford to be complacent, especially those at the highest levels of an organisation - actions, or inactions, can have profound consequences. 

 

As cyber-risks evolve, so too must the strategies to mitigate them, and that starts with CISOs taking the necessary steps to encourage senior-level employees to make cyber-security a priority.

 

---

 

Vivek Dodd, CFA is a director at Skillcast

 

Main image courtesy of iStockPhoto.com and filadendron