One of the biggest challenges security teams face is resolving the issue of human error, especially when it comes to senior executives. We all know that human error is by far the biggest cause of cybersecurity breaches – people clicking on links in emails that they shouldn’t. We also know that the higher up the individual, the bigger the risk.
The 2019 Verizon Data Breach Investigations Report outlined that senior executives are 12 times more likely to be the target of social engineering-related incidents, and nine times more likely to be the target of social engineering breaches. Given these facts, common sense would dictate that these senior employees should be subject to proportionately more security controls and security training. In reality, the opposite is often the case.
The security team is finding itself between a rock and a hard place, due to myriad of factors that make the C-suite a difficult group to work with. It starts with historical access. The C-suite will have been given access in the past to a number of sensitive systems, on the assumption that their authority and remit requires highly privileged access.
As well as it being regarded with a sense of prestige, it will have also been done on the understanding that the C-suite must not have any friction when doing mission critical business. They don’t have time to be asking for permissions.
Another issue is technical acumen. Whilst the C-suite will undoubtedly have a huge array of business skills, many will not have grown up connected to the web and, as such, may not take the cyber threats as seriously as they should. The average C-suite member is in their fifties. Today’s children have ‘stay safe online’ lessons from primary school. Habits are hard to break.
The answer to C-suite access isn’t easy but must be made a priority within the security program. Yes, security teams feel conflicted in how they challenge the C-suite and get them to prioritize training over what is perceived to be more ‘business critical’ meetings, but ultimately time must be allocated and considered sacrosanct.
Educating the entire leadership team on the elevated risk they introduce to their organization, because of their public profile, will enable them to get their buy in to impose the stringent security measures required to protect the business while holding the team accountable for non-conformance.
Where possible, the C-suite access project should be done alongside a company-wide privilege access management review. This is best done by starting with the basics on principles of risk. Each system needs to be identified according to its level of risk – whether it’s a business-critical system that can cause reputational damage, or an outage that can affect business operations or customer experience. The systems then need to be prioritized and mapped against who has access to these systems and what rights the access enables.
There then needs to be a new governance policy aligned to the principle of least privilege. This is especially pertinent for employees that have a high public profile, of which the C-suite is key. Ultimately the C-suite should only get access to systems that they need access to, appropriate for their tasks and responsibilities, to facilitate the actions that they need to carry out.
The access shouldn’t be maintained indefinitely, and it must be regularly reviewed. Crucially for the C-suite, the type of access should also be carefully considered. For example, would a read only privilege be sufficient? Every system that they can write changes to is one that a hacker could infiltrate.
Once new privileges are implemented they need to be regularly reviewed and measured. An advisable place to start is by checking whether training is successful. Training completion rates must be checked and addressed with individuals who haven’t completed their allocation.
Another good tactic is to look at phishing testing results – by checking and comparing the C-suite against senior executives you’ll have data that can be used to make the C-suite to take the situation more seriously and galvanize a change in behavior.
Once the program has been running for a significant period the key metric that must be regularly reviewed is the overall entitlement reduction aligned to systems with higher risk. This number should decrease on an ongoing basis, with support from the C-suite.
Reducing the business risk from cyber is obviously a strategic priority for all businesses and it’s one that the C-suite are publicly getting behind. That said, like with many things that are good for us, just because we know the theory doesn’t mean that we want to put it into practice.
The CISO can, wrongly, be viewed as obstructive. There’s always a fine balance in cyber between making information easily accessible and keeping the data safe. Unfortunately, when it comes to the C-suite there is no wiggle room – they are high profile targets, so access needs to be locked down and proper authentication procedures laid over the top. No wonder that ‘good communications skills’ are frequently rated as the biggest must-have skill for today’s CISO.