For one thing, their high-profile positions make it easy for hackers to dig up a lot of information about their activities and interests, and that data can be used to craft fake messages.
For another, they're always hurrying through their inboxes; if they see a message that contains an emotional trigger, such as 'Company XYZ is filing a lawsuit against your company. Please find attached the details,' they'll click.
CEOs also tend exclude themselves from regular security training that is mandatory for employees lower on the totem pole, he adds. So they may have a poor understanding of threats.
But that doesn't mean you can't help them to learn.
"One technique that works is telling executives that you want them to see what the rank-and-file are going to experience in the training," says Belani. "Show them what happens when they click on a link in a phishing email, and then discuss the consequences."
Such training can lower their risk of being exposed to an attack greatly, says Belani. The key is to get them caught up as soon as they come on board with your company and keep them up to date throughout their time there.
"Make sure your message is perceived as relevant to the audience, and reinforce positive behaviors," he suggests. "Use case studies and anecdotes to tell about break-ins and discuss what could have been done to prevent them. And, of course, measure the outcomes."
JULIE STRICKLAND covers start-ups, small businesses, and entrepreneurial endeavors of all kinds for Inc. Her work has been published in Brooklyn Based and City Limits in New York, the Free Times in Columbia, SC, Real Travel Magazine in London, and Daegu Pockets in South Korea. She lives in New York City. @Jules5168