Executives: Life in the Cybersecurity Fast Lane
Most folks get the same basic type of phishing email.
You know the kind: click here to get your tax refund early, visit this site to sign up for the COVID-19 vaccine, download this file to verify that your insurance records are correct.
It’s not that they’re not tricky, sometimes, but with good base-level cybersecurity skills most people get quite good at deleting and reporting these phishing attempts.
Phishing at a Higher Level
But the kind of phishing attempts that target executives are far from routine. They reference precise details about work, reflecting research that cybercriminals do to understand the personal and professional interests of the target.
These attacks may appear to come from colleagues, as cybercriminals spoof the email account of fellow executives as a front for making urgent requests to “wire money” or transfer data.
To combat such phishing attempts, executives need to apply a far more finely honed set of cybersecurity skills. They need to play the game at a higher level.
Across the cybersecurity domain, executives are simply exposed to a higher level of risk than regular employees—and they need a higher level of skill and attention to stay safe. That’s why it’s important that we prepare them differently.
Navigating the Twists and Turns of Cybersecurity
Let me use something I’m passionate about to illustrate this point: driving my sports car on a racetrack. It’s a different level of risk and a different level of skill than anything I do in my daily driving.
Most phishing emails are the equivalent of a drive in the suburbs.
There are stop signs and intersections, you’re generally just trying to get where you need to go, and there is not a lot of skill required. Some basic driver’s ed is all you need to get around safely.
But the phishing emails targeted at executives are like a high-speed drive on a racetrack. There are no speed limits, your objective is to go as fast as possible, and you’re generally driving high performance cars.
Everything you do on a racetrack is intensified: when you accelerate, you do so at 100%; when you brake, 100%. You are seeking to maximize your speed, so you only slow down the minimum you need to get through the turn, and you seek maximum velocity as soon as possible.
You try to find the straightest line through the curves, and that means using ALL the road, often placing your car at the very edge of the track. If you’re a thrill seeker—and I guess I am—it’s pretty damned thrilling, especially when you do it well.
This increased level of risk—and the performance needed to succeed despite that risk—is true across the range of cybersecurity risks that executives face:
- Their passwords and their password management practices must be more secure, because the systems they access are more critical
- Their remote connection practices must be enhanced, because they travel more and that travel may be tracked by criminals
- Their use of social media must be more astute and guarded, because their words mean more
Name a cybersecurity behavior that you want employees to master, and I guarantee that executives need to master it at a higher level.
Higher Stakes, Higher Cybersecurity Risk
That’s why we need to prepare executives to handle their cybersecurity challenges the way we prepare people and their cars to drive on racetracks.
Let’s think first about driving. It’s true that the basic conventions of driving are the same for driving on the public roads and the track. You sit in a four-wheeled vehicle, press the gas to go and the brakes to stop.
But the moment you drive out onto the racetrack, everything is intensified: your speed, your braking, your focus. Because you’re driving so fast and hard, the risks are high. But there’s a lot you do to ensure safety: you wear an approved helmet, you’re in a car that passes safety inspections.
Before you go on the track you spend time in exercises and drills to prepare you for anything that happens. Thanks to this preparation, I’ve really never felt in danger (though I have been aware of the risks).
It’s similar with cybersecurity: I know there are dangers out there as I navigate my digital environment, but I feel prepared to deal with those dangers because I’ve practiced and studied and prepared for the risks.
This is the way you want your executives to feel about cybersecurity: not only that they’ve been given the keys to a high-performance car, but that they’ve also prepared to drive that car safely under the most demanding conditions. So you’ve got to take extra steps to familiarize them with the risks they face and the precautions they must take to stay safe.
Whether you’re an executive evaluating your own cybersecurity preparedness or a training manager evaluating the readiness of your executive team, you might ask yourself: are you or your team ready to perform at the highest level?