CEOs and other senior board-level executives are exposing their organisations to cyberattacks and hackers because of a lack of awareness around cybersecurity, a new study has warned.
Research by cybersecurity company RedSeal surveyed hundreds of senior IT and security professionals and found that many of these personnel believe there's a disconnect between the CEO and the information security team, which could be putting organisations at risk.
While almost all security teams (92%) set out specific plans to help protect their CEO from cyberattacks and data breaches, 54% of security personnel believe their CEO is ignoring these plans, potentially opening the door to cyberattacks.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
One in ten even went so far as to say decisions or actions made by the CEO or other high-ranking management had actively put the cybersecurity of the business at risk, while 14% said their CEO hasn't received any cybersecurity training.
Meanwhile, 95% of those surveyed said they're concerned that poor cybersecurity of consumer Internet of Things devices means that smarthomes could be hacked – but over a third (38%) aren't aware of which connected devices their CEO uses when they're out the office or at home.
This could potentially provide a new avenue for cyberattackers who want to conduct espionage, steal information or even blackmail high-profile targets.
"Smart devices compete on convenience and price. Security is usually an after-thought, if it's addressed at all. Some popular smart devices, like smart speakers, compromise privacy even when working as intended -- which is scary when you think about the opportunity this presents to people who want to spy on CEOs for commercial or national advantage," said Mike Lloyd, CTO of RedSeal.
"CEOs have wide access to their organisation's network resources, the authority to look into most areas, and frequently see themselves as exempt from the inconvenient rules applied to others. This makes them ideal targets," he added.
However, despite some having fears around security at the very top of the organisation, on the whole, businesses appear to be taking cybersecurity seriously. Two thirds of businesses say their cyber-incident response plan is well defined and well tested – either via real breaches, or simulation tests.
Three quarters of firms also report they have cyber insurance, suggesting there's an awareness around preparing for the aftermath of an incident, should one occur.
"In a complex and interdependent world, some attacks are bound to succeed. Organisations must look to a strategy of resilience. They'll survive only by planning in advance for how the inevitable successful attacks will be handled," said Lloyd.
MORE ON CYBERSECURITY