Executive Missteps: Above the Law
- Susan Sons
- Jul 22
- 4 min read
This is the first installment of an ongoing series on how business leaders, often unknowingly, sabotage their organization's cybersecurity...and how not to be that person. Each is inspired by a true story (or several).
It's late on Friday afternoon, and the corporate help desk gets a phone call. The CEO is in a panic. He's on Christmas vacation with his family at the beautiful Silver Sands Gulf Beach Resort on Longboat Key, and can't log in to key systems. He's got 2 hours to put together a report for the Board of Directors to reassure them that the company's current R&D investments are well-focused. Unfortunately, his vpn isn’t working and the normal password reset process hasn't been successful.
The 21-year-old help desk technician says he can't help. He's learned that these kinds of requests are often social engineering attacks which are preludes to breaches. The Friday after the CEO returns, a 4:30PM meeting appears on the help desk technician's calendar called "meeting". Also invited are his boss and HR. During the meeting he is terminated, effective immediately. He is escorted to his desk by HR with a cardboard box, and then to the parking lot.
Almost two years later, on the Wednesday before Thanksgiving, the help desk gets a frantic call from the CFO, who's unable to access her account via the regular means during a business trip. Everyone remembers when another helpdesk technician was terminated for asking the CEO to stick to the protocol, so this time a help desk technician bypasses the usual protocol to provide a new password over the phone, and turn off MFA for the account. (Andrew’s note: I have used this exact ruse very successfully to gain access to numerous sensitive resources during social engineering penetration testing. We made a conscious effort to schedule social engineering testing near holidays because standards lapse.)
Unfortunately, it wasn't the CFO on the phone. This call came from a hacker, and the company's bank accounts were emptied by the time work started on Monday. What followed was a nightmare. Purchase orders didn't go through, net-30 invoices were paid months later, and the company lost far more money than what was in the bank accounts cleaning up after the incident.
I wish this were just a scary story, but it happens every day. The company's executives told their board and cyber-insurance "we got scammed", "it was an advanced attack", and "we have protections in place, this should never have happened". They blame the help desk technician for not following the written policy, and fire her. They fire the help desk manager for not enforcing the policy. The help desk manager who was in the meeting when the first employee was terminated sued for wrongful termination and defamation per se. She won.
When the CEO communicated to the company that executives are above the policy, he ensured that a simple, basic social engineering attack like this would be successful some day.
If you are a leader of any kind, think hard about the example you set. Did you demand more access to systems and services than you needed, or did you show through your behavior that least privilege matters? Did you sidestep an inconvenient policy, or did you work with your CISO to ensure that your policies work, and minimize exceptions? Did you install that software that's not on the security white list, or did you reach out to the cybersecurity team to find a secure way to meet your business needs?
Everyone's watching. Leaders are always on stage.
Creating a Culture of Security
Executives and business leaders at every level can make the organization more secure through small, everyday choices that set an example:
When someone proposes adopting a new technology, ask for the cybersecurity team's assessment. This creates the expectation that part of technology adoption is understanding whether and how we can secure the thing, and eventually gets parties throughout the organization asking these questions proactively, early in the process.
When cybersecurity seems to be getting in the way, instead of demanding an exception, ask the security team how to improve the technology, process, or policy. This teaches the organization that security measures mean something, even at the highest levels.
When a security policy comes up for review, give honest feedback. A good cybersecurity team should find ways to meet all the business's needs securely, but they can't do that without the perspective of those doing the work on what enables them and what gets in the way.
Don't be the casual complainer. Some non-technical leaders complain about cybersecurity the way some people complain about the weather... it's just their default small talk. However, when leadership does this, those looking to them as leaders get the message that security is an imposition, not a necessary risk-limiter and enabler. If you have real security issues, bring them to the individuals responsible for fixing the problem. Whining about MFA in the elevator or on Slack only weakens the organization.
Be visible in rewarding good security behavior. Thank the help desk worker who verifies your identity before taking action on your behalf. Compliment the leader who includes cybersecurity implications in a project proposal. Everyone's listening; telling them that cybersecurity is on your plate and is something you value can make a big difference, and it's free.
Wrapping up
Cybersecurity isn't just a technical discipline; it’s a leadership discipline. When executives demonstrate that policy is optional for them, they teach the entire organization that rules don’t really matter. But when leaders consistently model good security behavior—even when it’s inconvenient—they lay the foundation for a culture that can resist attacks, not just recover from them. Your actions write the playbook your team will follow. Make sure it's one that leads to resilience, not regret.
