It's certainly easy to dismiss with a chuckle the topic of this Internet News story, that high-level executives increasingly are targets of malicious e-mail. The writer admits it sounds like a Dilbert cartoon.
But, as the writer correctly points out, this is deadly serious stuff. C-level executives have a high level of access and deal with a tremendous amount of sensitive data. An organization can't allow spammers and phishers to play them for fools.
The MessageLabs press release upon which the story is based says that on June 26, the company intercepted more than 500 precisely addressed messages. The targets were chief investment officers (30 percent), chief executive officers (11 percent), chief information officers (almost 7 percent) and chief financial officers (six percent).
There are at least two issues here. The first, of course, is a discussion of the technical solutions that can keep these phishing attempts under control. The more subtle and interesting issue is whether security personnel have enough "juice" in the organization to make their superiors listen to them. In other words, it's easy to tell Bill or Bob from the mail room that he has to use certain procedures -- but quite another to make the CEO follow suit.
It seems that a good portion of senior managers don't pay enough attention to security. "The Password Pain Poll" released earlier this month by DigitalPersonal and the Business Performance Management Forum said that 68 percent of C-level executives have exchanged network passwords with "colleagues." Whether these colleagues were other senior executives or lower-level folks is not indicated. The survey also found that 48 percent of C-level respondents said that ease of use and increased productivity were their top security priorities in 2007. That's understandable, but a bit disconcerting simply because a person focused on ease of use may be more likely to skip steps in his or her own security regimen.
Of course, many of these security steps will be automated. It is impossible, however, to keep the executive completely out of the loop. Good security practices -- such as guarding passwords and not opening attachments lest malware be let loose behind the firewall -- depend on common sense and the willingness of the end user to follow directives.
We suspect that IT will have an increasingly easy time getting senior-level executives to sign on to security as a general corporate policy, especially if IT folks are savvy and present the issue in business and not technical terms.
The bigger problem may be getting senior-level executives to take their own medicine. This is a fuzzier area. In the real world, IT folks struggling for acceptance at the corporate table may be loathe to push hard against executives on whose good will they depend. The bottom line is that they must, or spam aimed at C-level will succeed.