CISO: Do as I say, but not as I do

Cybersecurity leaders in companies may not be practicing what they usually charge their subordinates. The revelation was made by a survey that sought to identify behaviors of those responsible for guarding the boundaries of companies that may be under threat, especially when it comes to social media as a vector of attack.

The results showed that 57% have experienced in their personal routines ATO (Account Takeover) type attacks — which usually steal an identity to gain unauthorized access to their accounts — most often through email (52%), but also LinkedIn (31%) and Facebook (26%). Around a quarter (24%) of respondents also use the same password for professional and personal tasks. And nearly half (45%) of cybersecurity leaders expose themselves by connecting to public Wi-Fi networks without using a VPN.

Among other highlights of the study are the following points:

• Cybersecurity leaders are frequent targets of phishing attacks, with the perpetrators often posing as CEOs. The number of such attacks grew by 667% during the Covid-19 pandemic, relying on a variety of tactics. Nearly three-quarters of leaders surveyed said they had been targets of phishing or vishing attacks (which involve the use of voice calls). A third (34%) commented that someone impersonating the CEO during the attack. And 28% reported having no special security measures in place to protect their executives from cyberattacks.

• Cybersecurity leaders often use work devices to connect to personal social networks. Almost half (48%) of respondents use their computer at work to access social networking platforms. In addition, 77% of cybersecurity leaders often accept invitations from unknown people, especially on LinkedIn (63%).

• Password carelessness among cybersecurity leaders. Nearly one in four cybersecurity leaders uses the same password in their professional and personal routines. In addition, 39% reported that they hadn’t changed their professional email passwords in the past 30 days.

• Most organizations do not monitor potential threats to their brand on social media. Over 50% of respondents do not have formal policies or processes in place to monitor the digital public sphere, including social media, blogs, and forums, to protect against harmful impacts against the organization’s brand or reputation.

The survey interviewed more than 100 global cybersecurity leaders, from senior level to C-suite members, in industries such as financial services, technology, healthcare, retail, and telecommunications.