Leadership discussion

Is your CEO putting your company at risk?

Share with your network!

It's the dirty little secret that IT security officers don't want anyone to know. Actual simulated phishing attack results show that C-level executives may be most likely to take the bait and fall for simple or sophisticated spear phishing attacks. We recently released this news, finding that an average of 33% of Fortune 500 corporate executives are falling for phishing attacks. In response, we're offering helpful tips for CSOs trying to convince corporate executives they need education on how to recognize and avoid cyber security attacks.

It's clear that phishing attacks continue to rise. Recent high profile breaches initiated by a phishing attack or more targeted spear-phishing attack include the Associated Press, the U.S. Department of Energy, and other well-known organizations.

But here's the shocker. Cyber security experts are discovering that corporate executives are falling for attacks like electronic faxes, fake conference registrations, shipping confirmations, and social media password resets. Not only are these executives clicking on potentially malicious links, Wombat's data reveals some senior executives are actually submitting login credentials, which may be exposing their company to harmful data breaches.

In response, Wombat offers the following tips for IT security officers who want to convince company leaders of the need to educate the entire employee base, including executives, about phishing attacks and how to avoid them.


  1. Know your Numbers – When you're trying to sell security awareness internally, it's good to know the cost of not investing, i.e. damage to brand reputation, loss of intellectual property, cost of cleaning PCs, unnecessary helpdesk calls, etc. Risky behavior is expensive.
  2. Remember the Executive Assistant – Anyone who has access to the executive's email may be vulnerable to phishing attacks. Training people in these roles is equally as important as training your executives.
  3. Quantify the Opportunity Cost of Remediation – If you and your security team had less threats or breaches to chase, what proactive or revenue generating projects could you accomplish? Have the list in your pocket.
  4. "My Time is Too Valuable" is Not an Answer – If you've got stats and numbers to back you up, there's no reason to let the executive team off the hook for training. Everyone needs to be educated about information security risks and the CEO and the executive team can lead by example.

In addition to these helpful tips, Wombat Security Technologies offers innovative tools to assess and train a workforce. Wombat's cyber security arsenal includes a mock phishing attack service, a comprehensive training platform with a full set of 10-minute software training modules, and sophisticated reporting tools that profile a company's vulnerability to cyber threats.