GetApp offers objective, independent research and verified user reviews. We may earn a referral fee when you visit a vendor through our links.
Our commitment
Independent research methodology
Our researchers use a mix of verified reviews, independent research, and objective methodologies to bring you selection and ranking information you can trust. While we may earn a referral fee when you visit a provider through our links or speak to an advisor, this has no influence on our research or methodology.
How GetApp verifies reviews
GetApp carefully verified over 2 million reviews to bring you authentic software experiences from real users. Our human moderators verify that reviewers are real people and that reviews are authentic. They use leading tech to analyze text quality and to detect plagiarism and generative AI.
How GetApp ensures transparency
GetApp lists all providers across its website—not just those that pay us—so that users can make informed purchase decisions. GetApp is free for users. Software providers pay us for sponsored profiles to receive web traffic and sales opportunities. Sponsored profiles include a link-out icon that takes users to the provider’s website.
More senior company executives are now targets for fraud, whether it’s artificial intelligence (AI)- generated deepfakes, biometric security breaches, or ID fraud. This is a finding from GetApp’s 2024 Executive Cybersecurity survey*, which canvassed 2,648 IT and cybersecurity professionals across 11 countries (238 from the USA).
These kinds of attacks could run costs into millions, which makes it imperative to provide specialized cybersecurity training to all staff members, but especially to C-suite executives. To reinforce this, our study found that 42% of companies targeted by a cyberattack in the last 18 months prioritized training executives on security topics.
Given the amount of data, company control, and money they have authority over, senior business executives offer a major prize to cyberattackers. Despite the urgency though, work pressure and time constraints can lead many leaders to skip cyberattack defense training. Is this a risk businesses can afford to take?
72% of US senior executives have been targeted at least once by a cyberattack in the last 18 months according to surveyed IT and cybersecurity professionals
69% of respondents whose company’s senior executives were previously targeted say cyberattacks against senior members of staff have increased
27% of attacks in the last 18 months used AI-assisted deepfakes to target senior executives, although the majority of attacks were caused by phishing or malware
87% of IT and cybersecurity professionals agree that senior executives should receive more cybersecurity training than other employees
37% globally say their companies have no extra cybersecurity training for senior executives, despite the risks
Minor mistakes can lead to major consequences in the world of cybersecurity. Something as small as a simple, easy-to-guess password can have major ramifications if it leads to a successful breach from a hacker. In our first article analyzing the survey data, we found that many businesses hit by cyberattacks retroactively focused on plugging gaps, such as weak passwords, software update regularity, or improving network security.
If a staff member slips up in any of these ways, it may pose significant issues for the business. However, this risk is accelerated further if the person being targeted is in a company leadership position.
Cybercriminals have been targeting senior executives more frequently in recent times. [1] In our survey, US respondents are the most affected among all global respondents, with 72% of surveyed IT and cybersecurity professionals reporting senior executives in their companies have been the target of at least one cyberattack in the last 18 months. This was significantly above the global average of 63%.
This appears to be an increasing trend, with 69% of US respondents whose executives had been targeted by a cyberattack reporting that these attacks have risen over the last three years. Yet again, this is much higher than the 58% of global respondents who’ve witnessed a similar increase over recent years.
While cyberattackers often modify their techniques to exploit vulnerable senior executives, some common practices continue to prevail. Respondents in our survey whose companies had suffered an attack targeting senior executives say breaches were facilitated mainly by malware and phishing attacks.
Making things even more perilous is the fact that cyberattackers are deploying newer, more sophisticated methods to attack companies that are not defending high-end data securely enough. Affecting 21% of global respondents in targeted companies, AI-assisted deepfake attacks top the charts. This was higher again for US respondents where 27% reported cases of these attacks.
Many of these attacks occur because of elementary mistakes made by senior executives. Our data found that simple but costly oversights such as downloading files from untrusted sources, using weak passwords, and failing to update software regularly were the main culprits.
According to our respondents, many of these mistakes occur more frequently in US companies. At a rate way beyond the global average of 32%, the senior executives of US firms experienced breaches mostly because they bypassed security policies and procedures.
There is also an especially serious risk factor of identity fraud facing executives more generally. Over half (54%) of our US respondents are working in companies hit by at least one identity fraud incident affecting a senior executive over the last 18 months, 13 points higher than the global average (41%). Furthermore, compared to the global average, US senior executives witness significantly higher risks for fraudulent financial transactions.
Senior executives not adhering to their company’s security protocols can pose major threats to the business, especially given the access they have to secured data. While business leaders may have the capacity to override certain cybersecurity safety features in cases of urgency, it is important to know the risks of taking such actions.
One of the nastier facts about being targeted successfully by a cyberattacker is that further attacks become more likely, especially if the target is seen as high value. Cybercriminals may share details of those who were successfully breached or who ended up sharing personal data, which can lead others to breach your systems through the same vulnerabilities.
That’s why it’s important to strengthen your cybersecurity measures to avoid attacks. With safety tools such as multi-factor authentication (MFA), encryption, and identity management software, you can reduce the chances of unauthorized access.
While we’ve seen many cyberattacks result from errors made by senior executives, employees still have faith in their awareness of the dangers they face. For instance, most respondents generally agree that senior executives are aware of the threats posed by AI-deepfakes, therefore demonstrating their capacity to stay aware of new forms of cyberattacks.
However, many respondents also think that senior executives fall victim to cyberattacks more often than regular employees and that they should receive more training than other employees.
Clearly, employees see the importance of company executives’ role in cybersecurity. However, there are concerns about risky online behavior, susceptibility to cyberattacks, and level of training to cope with these challenges.
We found that most (89%) US participants say they have training once a year or more. In addition, we also found it is most common for senior executives to receive additional cybersecurity training compared with other staff members. This is the case for 69% of US senior execs compared to the global average of 57%. However, 37% of senior executives globally are not provided more enhanced training, putting them at significant risk.
That’s not to say there isn’t extensive training company-wide. We found amongst our sample that the majority have workplace coaching on subjects such as cybersecurity and data privacy. Whilst this is a good start, executives may need additional instruction to succeed against advanced cyberattacks. For example, they may need to be prepared for more advanced, individualized social engineering methods such as ‘whaling’ (highly nuanced attacks on high-value targets), which targets C-level executives specifically.
In total, 86% of our sample agree that senior executives need more frequent and specialized training than regular employees. However, in many companies, this is not happening despite senior executives' crucial role in a company's defense against cyberattacks. This is a greater concern as attacks attempting to exploit them are likely to differ from those directed at rank-and-file employees.
We focused on this factor in our survey to understand how well-prepared senior executives are to deal with potential cybersecurity threats. Overall, this is sufficiently addressed but some gaps remain.
Those in the sample with no extra training for executives say that C-level staff have justified this decision for a few reasons. Across all 11 countries surveyed, a lack of time dominates the reasoning, although the most selected response (by 37% of US respondents) indicates that senior leadership already possesses sufficient knowledge.
Many who work in companies without extra training for their senior executives have confidence in their knowledge of cyber risks but there are reasons not to be too complacent.
The danger posed by newer threats such as AI-generated deepfakes, identity fraud or individualized social engineering attacks may require a rethink of this policy. It may now possibly be the case that ‘sufficient knowledge’ noted by participants might no longer be enough. This is why it’s especially important to ensure that awareness of new and evolving cyber threats facing executives is kept as up to date as possible.
There is a desire from employees and, in fact, an imperative for senior executives to be trained on the specific cybersecurity dangers they face. We’ve already seen in our findings that they are likely to be targeted and that any mistakes on their part that undermine network security can be costly.
There are a number of new and developing threats that specialized cybersecurity training can help prepare executives to face effectively. These include elements such as the following:
Awareness of current threats: Cyber threats are evolving quickly, and senior executives need to stay current on the methods that can specifically target them. As discussed before, time constraints may affect executive-level cybersecurity training. However, businesses can also rely on security awareness training software to access courses and guidance that adapt to their busy schedules without needing a specialized course.
Safeguarding image and personal data: Executives represent a major target for social engineering attacks. A lot of information needed to impersonate an executive can be found online, either from company sources, local media, or their social network activities. Therefore, it is especially important to make executives aware of what they should and shouldn’t share online and to have them regularly review their information security.
Risk management: Executives should feel empowered to make decisions but must also be aware of potential risks that may occur when carrying out certain activities, such as finalizing high-value transactions that could be fraudulent. Understanding such risks enables businesses to prevent unwanted outcomes. These might include procedures to assess if a video call is a deepfake or having network monitoring implemented that can detect threats. Additionally, preventive steps can be initiated if an incident is noticed mid-attack, such as how to halt fraudulent transactions or recover lost funds, not to mention disaster recovery strategies if they do succeed.
Safe use of personal devices and public networks: Company information should always be kept solely on company devices, and where possible, secure Wi-Fi networks should be used only, but in today’s interconnected world, this doesn’t always happen. Insecure apps or malware, however, can represent a big issue if they get onto company infrastructure, which is why it is important to educate executives to be especially wary of exposing their devices to these risks. Using a mobile device management system can help secure mobile hardware by providing monitoring capabilities and controlling use policy.
*GetApp's Executive Cybersecurity Survey was conducted in May 2024 among 2,648 respondents in the U.S. (n=238), Canada (n=235), Brazil (n=246), Mexico (n=238), the U.K. (n=254), France (n=235), Italy (n=233), Germany (n=243), Spain (n=243), Australia (n=241), and Japan (n=242). The goal of the study was to explore how IT and cybersecurity professionals are responding to the rising threat of biometric fraud. Respondents were screened for IT and cybersecurity roles at companies that use security software and have more than one employee. Respondents were screened for involvement in, or full awareness of, cybersecurity measures implemented at their company.
Sources
David Jani