March 27, 2013 1:01
Your C-Level execs are your biggest social engineering threat. Why?
1) They Expect You to Have Their Back
These are the people that approve the security budget and they know how much the organization spends on IT security. So when they open an infected attachment that hoses their machine, they ask: "Why didn't you prevent this?" instead of asking themselves what they themselves did wrong.
2) They Live On The Bleeding Edge
C-level execs are the heavy hitters, with the busiest schedules and often a daunting workload. No wonder that they are the first ones that insist on new technology that will save them time or make their lives a bit more easy. So these are the people that you see with iPads on the company network, and they expect since this is new technology, it's of course more secure than the 'old stuff'. Unfortunately we know better, as new stuff is buggy and barely out of beta. New stuff can usually be hacked easier and faster.
3) They Think Security Policy Is Not For Them
Your C-level people are the best targets for attackers as they usually have the most access to corporate jewels. Since their jobs actually are very demanding, they naturally expect that 'restricting' security rules do not apply to them. They expect to be able to visit the websites that are otherwise blocked by rules in the proxy server, and so on, and on. Problem is of course that their security awareness is no higher than the other employees but C-level folks should be the very best security trained!
4) Their Family Has A Target On Their Back Too
Social engineers are 'business people'. Their time is money too, so they go after the low hanging fruit. In many cases that means using social media to infect the PC of the spouse of your C-level at their home, 'own' that low-security peer-to-peer network, which the Exec uses to log on with their company laptop and bingo! Your C-level exec's family needs some security awareness training too.