Ivanti today announced the results of its Executive Security Spotlight report as part of Ivanti’s Cybersecurity Status Report Series. Ivanti surveyed over 6,500 executive leaders, cybersecurity professionals and office workers to understand today’s threats and discover how organizations are preparing for yet-unknown future threats.
Top executives — the employee group most targeted by threat actors — are frequently provided unfettered access to valuable data sources and networked assets. While 96% of leaders say they are at least moderately supportive and invested in their organization’s cybersecurity mandate, the reality is that 49% of CXOs have requested to bypass one or more security measures in the past year. Although security leaders are aware that high-access executives present a unique security threat, the research reveals that executive security exceptions and low-risk time-savers lead to outsized organizational risks.
The report identifies several executive cybersecurity habits and behaviors that security professionals need to be aware of:
- One in five leaders have shared their work password with someone outside the company.
- 77% use easy-to-remember password hacks, including birthdates or pet names.
- CXOs are three times more likely to share work devices with unauthorized users, such as friends, families and external freelancers.
- One in three executives admit to accessing unauthorized work files and data, and nearly two in three say that they could have edited those files/data when accessing them.
Moreover, the report highlights a critical issue of trust and communication between executives and the security teams responsible for protecting them. Executives are two times more likely to say their past interactions with security were ‘awkward’ or ‘embarrassing’ when sharing security concerns. This makes executives four times more likely to resort to external, unapproved tech support. To address this, the report emphasizes the importance of rebuilding trust and fostering a collaborative relationship between security teams and executives based on honesty and friendly support, rather than being punitive.
“When executives are willing to trade security for usability, they may be underestimating just how lucrative of a target they are for threat actors,” said Daniel Spicer, Chief Security Officer at Ivanti. “As our work environments have become digital-first it’s impossible to eliminate all risk – but we should eliminate unnecessary risk. The continued challenge for security leaders is to obtain organizational buy-in and compliance on cyber mandates – particularly with their peers on the executive team to close human-sized gaps and avoid a double standard being applied to the rest of the workforce.”
The report outlines steps businesses and security professionals can leverage to close the executive conduct gap including conducting audits, prioritizing remediation for the most common risks, conducting gamified security training sessions, and implementing “white glove” security programs.