CEO cybersecurity 101: Improve your security hygiene

Executives must be exemplary users of corporate security. It's time to ditch easy-to-guess passwords and incorporate multifactor authentication methods.

Chances are, your CEO doesn’t have the best data security hygiene. And too often that's the case among other executives as well.

Let's start with the most recent example of poor security hygiene: Equifax. According to researchers, the company's "chief privacy officer, CIO, VP of PR, and VP of sales used passwords with all lowercase letters, no special symbols, and easily guessable words like spouses’ names, city names, and even combinations of initials and birth year," evidence that the company failed to follow best security practices. 

Although they may not all make headlines, companies with poor security habits are (unfortunately) plentiful. The 2017 Verizon Data Breach Investigations Report found 81 percent of hacking-related breaches use either stolen or weak passwords. In other words, the breaches resulted from easily compromised identities.

Many IT managers have expressed frustration with top executives when it comes to implementing better security policies. One manager who asked not to be named tried to deploy a policy that made passwords expire after a certain period. He got various management approvals and was ready to deploy the simple change until he was rebuffed by the CEO. "My CEO told me that he had been using the same password for more than 30 years and wasn’t about to change it now. So we still have hundreds of people using non-expiring passwords around the organization," he says.

He isn’t the only frustrated IT manager, and passwords aren’t the only security issue. A recent study by Code42 found that 75 percent of CEOs and more than half of other top executives admitted to using applications that are not approved by their IT department. This could be the result of a number of factors, including the security team is not engaged with the C-suite, executives are stubborn and clinging to old ways, or security isn’t taken seriously by management. Or all three.

Get the latest on HPE's strategy: HPE Locks Down Server Security

But we shouldn’t just blame executives, since the problem could be of our own making. "There will always be a natural tension between the CIO and the CISO," wrote Saryu Nayyar, CEO of security vendor Gurucul, in an op-ed article for Dark Reading. “This dynamic is determined by the reality that the CIO is driven to provide more and better services at lower costs, while a CISO’s job is to protect everything," she says. "Over my years with talking to many IT professionals, I have seen lots of such infighting between management teams. Certainly, the time for working together in the name of better security policies has come."

CEO security malaise could also be due to a lack of understanding about the actual risks. Security practitioners drowning in noise end up taking the hunter mentality and eventually abandon the data itself. "They spot-check it and look for very specific patterns that have been successful in the past," according to Ryan Stolte, co-founder and CTO at Bay Dynamics.

How to improve cybersecurity hygiene

What should CSOs and CISOs do, other than find a more amenable CEO to work for?

Assemble a list of horror stories such as the examples cited above. Look at the root causes, and try to factor them into your plans for improving—and simplifying—your enterprise’s security practices.

Understand the value of leaked data and how it can live forever. "What’s being overlooked to some extent is the fact that the data that was compromised has perpetual value to a fraudster," says credit expert John Ulzheimer in a blog post. "In five, 10, 15 years that data will still be valuable to a fraudster." Certainly that is the case if users stick with their age-old go-to password collections, as has been illustrated here.

Talk about risks in the only language your CEO understands—money. Security consultant David Froud, who has written about this extensively, says, "This is not the language of security; it’s the language of business goals. Or to put it crassly, it’s the language of money."

Forget about next-generation firewalls, or even last-generation ones. Or the details about how your anti-malware algorithms work. Your CEO isn’t interested. It is all plumbing—and about as exciting. What will get the CEO involved is how much money you can save your company by following a particular practice. Map your organization’s assets to your business processes as a start, and make sure you understand how to value each of these processes.

If you keep security as simple as possible, people will actually use it. "If the cybersecurity industry was doing its job, it would be SIMPLIFYING things for everyone, not making them worse," says Froud in another post. Take a closer look at using single sign-on or password manager tools that take the burden of passwords from your users and automate the password creation process. Once you take the creation—and remembering— of passwords out of human hands, you have a prayer of fighting back with the criminals who prey on the collections of reused and simple passwords. 

There is no point in having a complex multifactor authentication system, for example, if only a portion of the staff uses it. Instead, find a simple multifactor authentication product and get everyone on board. Make sure you implement programs that are workable and usable. Don’t pile on security for security’s sake. And if you are evaluating two different security solutions, choose the simpler one if at all possible. Have I said "simple" enough times here?

Of course, using single sign-on tools isn’t 100 percent secure either. A recent hack into Vevo, an online music video site, was subjected to a phishing attack through LinkedIn that compromised an employee’s Okta account. From this account, the hackers were able to gain access to Vevo’s media servers and helped themselves to terabytes of private files.

That brings up my next point: Any security program should plan for better executive and user awareness education, particularly when it comes to a type of phishing attack called "whaling," or CEO impersonation. In this attack, emails that appear to be sent by your CEO or CFO request the transfer of huge sums of money but in reality are just scams writ large. Numerous security vendors offer such education programs, if you don’t want to design your own. All it takes is a single email to break through your defenses, as the folks at Vevo found out.

Practice what you preach. You won't get very far it you aren’t trying out what you recommend. Lead by example. Years ago, when I first started working in IT, I had a CTO (we didn’t call him that, but that is what he was) who refused to use the Lotus 1-2-3 spreadsheet software that everyone else was getting for their PCs because Lotus 1-2-3 came with copy protection on the disk. When he found out that I had a version that removed the copy protection, he insisted that I install it on his PC. We don’t need more hypocrites in IT. Do as I say and as I do.

We still have a long way to go before we can get better-behaving CEOs, at least when it comes to security practice. Updating their passwords or using a password manager or a single-sign-on tool could be the first important step. 

How execs can improve security hygiene: Lessons for leaders 

  • Lead by example and choose passwords that are harder to guess and have some level of complexity
  • Change passwords periodically
  • Follow IT policies when it comes to using approved apps. Don't pull rank by insisting on a favorite app (unknown by IT) for conducting corporate business
  • Work closely with CISOs and other security pros to find cost-effective solutions together
  • Keep security systems simple. Complexity reduces the possibility of wide usage.
  • Help plan wider security awareness education and training
  • Use the tools your security department recommends

Related link:

HPE Ups the Ante with Gen10: the World's Most Secure Industry-Standard Server

This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.