The biggest threat to your company's cyber security aren't foreign hackers or devious geeks holed up in their apartments.
It's your CEO, writes Rohyt Belani, CEO of PhishMe, a Virginia-based security company, in The Harvard Business Review.
For one thing, their high-profile positions make it easy for hackers to dig up a lot of information about their activities and interests, and that data can be used to craft fake messages.
For another, they're always hurrying through their inboxes; if they see a message that contains an emotional trigger, such as 'Company XYZ is filing a lawsuit against your company. Please find attached the details,' they'll click.
CEOs also tend exclude themselves from regular security training that is mandatory for employees lower on the totem pole, he adds. So they may have a poor understanding of threats.
But that doesn't mean you can't help them to learn.
"One technique that works is telling executives that you want them to see what the rank-and-file are going to experience in the training," says Belani. "Show them what happens when they click on a link in a phishing email, and then discuss the consequences."
Such training can lower their risk of being exposed to an attack greatly, says Belani. The key is to get them caught up as soon as they come on board with your company and keep them up to date throughout their time there.
"Make sure your message is perceived as relevant to the audience, and reinforce positive behaviors," he suggests. "Use case studies and anecdotes to tell about break-ins and discuss what could have been done to prevent them. And, of course, measure the outcomes."