Learn why GetApp is free

71% of UK company executives are targets of cyberattackers: Discover how to secure even the busiest managers

Published on 03/09/2024 Written by David Jani.

Time is often tight for company senior managers, making cybersecurity training difficult to prioritise. However, given the amount of data and system access senior staff members have, companies can’t afford to leave them underprepared.

Engineers respond to gaps in UK company’s cybersecurity training

Cyberattackers are increasingly targeting senior company leaders, whether through artificial intelligence (AI) - assisted deep fakes, biometric security breaches, malware, or ID fraud. This finding was uncovered in GetApp’s 2024 Executive Cybersecurity survey*, which questioned 2,648 IT and cybersecurity professionals across 11 countries (254 in the UK).

Cyberattacks on managers can cost businesses millions collectively, which makes it crucial to ensure more robust cybersecurity training for higher-level employees. Our study identified that 38% of UK companies targeted by a cyber incident against senior executives in the last 18 months want executives to undergo cyber training to avoid an incident.

Senior company managers are in charge of large amounts of data and have privileged access to many sensitive files, making them a major prize for bad actors. Despite the urgency, extra training is often sidestepped by executives due to time pressures, putting companies at higher risk.

Key insights
  • 71% of UK senior executives have been targeted at least once in a cyberattack on their company in the last 18 months
  • 59% of UK businesses struck by a cyberattack against managers in the last 18 months say attacks have increased against senior staff
  • 22% of the targeted senior staff were compromised by an AI-assisted deepfake attack 
  • 85% of IT and security professionals surveyed in the UK agree that senior executives should receive more cybersecurity training than other staff members
  • 29% of UK companies do not provide extra training for senior staff members, despite the risks

Security mistakes allow cyberattacks to succeed against UK senior managers

Minor mistakes in cybersecurity can cost thousands of pounds. Small vulnerabilities such as not updating software, insufficient network monitoring, or a lack of endpoint protection can help a hacker breach your systems. Our first report studying the findings of our 2024 Executive Cybersecurity Survey reflected these patterns as many UK businesses previously hit by cyberattacks prioritised fixes such as keeping software updated, better network security, and secure file sharing.  

Mistakes made by staff members across a business can imply costly operational issues. However, if a senior manager is the target of an attack, the costs can be even more damaging.

Senior executives in business are increasingly targeted by direct attacks or, more concerningly, impersonated by deepfake technology. [1] We found that 71% of the UK IT and cybersecurity professionals surveyed had experienced an incident targeting senior management in their workplace in the last 18 months. This was 8 points higher than the global average of 63%.

graph detailing number of cyberattacks targeting UK senior executives

Amongst UK professionals, 59% of respondents whose senior leaders had been targeted in previous attacks have noted an increase in threats targeting their bosses over the last three years.

Small cybersecurity mistakes can equal big losses

There are many new and intimidating forms of cyberattacks targeting UK company managers, but older (simpler) ways of breaching a system can prove just as destructive. We found that malware attacks, stolen passwords, and phishing remain the most common ways that hackers try to compromise senior executives.

Most common types of attack targeting UK company leaders

However, newer threats leveraging AI have also started to break through. In total, 22% of targeted UK senior executives were the subject of an AI-assisted deepfake attack. This was a couple of points higher than the global average, suggesting there is cause for vigilance surrounding newer AI-powered attacks in the UK.

An AI-generated attack could be especially damaging as our findings show UK managers are allowing attacks to succeed due to elementary errors.

Mistakes made by senior executives in UK that led to cyberattacks

It does appear however, that compliance is overall positive in Britain. Many of the mistakes leading to cyberattacks were below the global averages in the cases of UK companies. However, it was much more common for British company heads to ignore their cybersecurity training than global peers, which is a concerning trend.

Types of identity fraud affecting UK senior executives

The prevalence of executives not following cyber learning becomes an even bigger problem given the risks UK managers face from identity fraud. Over four out of ten (43%) of our UK sample have observed at least one ID fraud incident in their company in the last 18 months.

The guardrails offered in cybersecurity training are vitally important for businesses and should be followed by all staff members, but this goes especially for company leadership. Therefore, it is worrying that many UK managers are not following the guidance.

Senior executives should lead by example in cybersecurity terms, as their actions can have more impactful consequences on a company’s stability. As we investigate going forward, employees expect their managers to be aware of the dangers cyberattacks pose and to be well-trained to counteract them.

Avoiding the ‘sucker’s list’

One of the nastier facts about being targeted successfully by a cyberattacker is that further attacks become more likely, especially if the target is seen as high value. Cybercriminals may share details of those who were successfully breached or who ended up sharing personal data, which can lead others to breach your systems through the same vulnerabilities.  

That’s why it’s important to strengthen your cybersecurity measures to avoid attacks. You can reduce the chances of unauthorised access with safety tools such as multi-factor authentication (MFA), encryption, and identity management software.

UK employees expect managers to be better trained in cybersecurity 

Judging by our findings, UK employees seem to be strongly in favour of more cybersecurity training for managers. Our sample shows the majority agreeing that managers should receive more training than regular employees, and that employees see the dangers of risky behaviour by senior executives.

sentiment among UK IT and cybersecurity professionals on senior executive preparedness

This underscores the important role managers have in facilitating robust cybersecurity practices at an organisational level. There is also a perception that senior executives are more likely to fall for cyberattacks, so it can do a lot for employee confidence to ensure that company leaders are well-trained and knowledgeable on how to protect themselves against threats.

29% of UK managers do not get specialised cybersecurity training

Cybersecurity training for UK employees appears to be widespread, with 84% of firms providing coaching for all staff at least once a year, slightly above a global average of 81%. It is also very common for managers to receive enhanced security training, with 67% of our sample working in companies offering this extra tutelage for senior leaders. However, there are a significant number of companies (29%) where no extra training is provided for business owners and managers.

The lack of additional training for managers and company leadership creates unnecessary risks for businesses. We’ve already seen how likely executives are to be targeted by cyberattacks and the prevalence of identity fraud facing senior leaders. This highlights the gaps where regular cybersecurity training may fail. It is not uncommon for attackers to employ ‘whaling’ (nuanced attacks on high-value targets) approaches, targeting owners and senior managers specifically. 

It is crucial to address that 36% of breaches noted by respondents were due to managers not following cybersecurity training. It is already expected by 70% of our UK sample that senior execs fall for cyberattacks more than other employees and the news that many are not following key security guidelines will do little to quell that image.

Training received by UK employees to prevent cyberattacks

There are many reasons given by the 29% not undertaking cybersecurity training in the UK for skipping extra security sessions. Issues such as a lack of time and resources (36%), and budget (35%) were more common in the UK than the global averages. There is also, concerningly, a higher proportion (28%) in the UK that doesn’t see the extra training as a priority. In contrast globally, training is often skipped as a result of managers lacking time, as the graph below indicates.

Reasons senior execs globally miss out on extra cybersecurity training

Not making extra training for managers and company owners a priority at the current time presents many hazards. As we’ve seen in the findings, senior staff are prime targets for cyberattackers, face a risk of identity fraud, and could open the door to a breach by not following company-wide cybersecurity rules. 

Focused training aimed at the C-suite level is also especially urgent as new, more sophisticated AI-generated attacks like deepfakes or social engineering are becoming more common. Proper preparation allows business heads to be aware of specific threats that target higher-level staff and account for the level of access and control they have over company files and systems.

How to prepare senior managers to face security risks

Special cybersecurity training for company managers in the UK is not only vital for security but is also expected by employees of their senior executives. Leadership in this sense extends beyond strategy and organisation and also covers safeguarding data privacy, security best practices, and developing an awareness of possible threats.

There are a number of new and developing dangers that specialised cybersecurity training can help prepare executives to face effectively. These include elements such as the following:

  • Awareness of current threats: Cyberthreats are evolving quickly, and senior executives need to stay current on the methods that can specifically target them. As discussed before, time constraints may affect executive-level cybersecurity training. However, businesses can also rely on security awareness training software to access courses and guidance that adapt to their busy schedules without needing a specialized course.
  • Safeguarding image and personal data: Executives represent a major target for social engineering attacks. A lot of information needed to impersonate an executive can be found online, either from company sources, local media, or personal social network activities. Therefore, it is especially important to make executives aware of what they should and shouldn’t share online and to have them regularly review their information for security purposes.
  • Risk management: Executives should feel empowered to make decisions but must also be aware of potential risks associated with certain activities, such as finalizing high-value transactions that could be fraudulent. Understanding such risks enables businesses to prevent unwanted outcomes. These might include procedures to assess if a video call is a deepfake or having network monitoring implemented that can detect threats. Additionally, preventive steps can be initiated if an incident is noticed mid-attack, such as halting fraudulent transactions or recovering lost funds, not to mention disaster recovery strategies if they succeed. 
  • Safe use of personal devices and public networks: Company information should always be kept solely on company devices and accessed via secure Wi-Fi networks only. Insecure apps or malware can represent a big issue if they get onto company infrastructure, which is why it is important to educate executives to be especially wary of exposing their devices to these risks. Using a mobile device management system can help secure mobile hardware by providing monitoring capabilities and controlling use policy.
Looking for security awareness training software? Check out our catalogue.


Survey methodology

*GetApp's Executive Cybersecurity Survey was conducted in May 2024 among 2,648 respondents in the U.S. (n=238), Canada (n=235), Brazil (n=246), Mexico (n=238), the U.K. (n=254), France (n=235), Italy (n=233), Germany (n=243), Spain (n=243), Australia (n=241), and Japan (n=242). The goal of the study was to explore how IT and cybersecurity professionals are responding to the rising threat of biometric fraud. Respondents were screened for IT and cybersecurity roles at companies that use security software and have more than one employee. Respondents were screened for involvement in, or full awareness of, cybersecurity measures implemented at their company.


Sources:

  1. CEO of world’s biggest ad firm targeted by deepfake scam, The Guardian


This article may refer to products, programs or services that are not available in your country, or that may be restricted under the laws or regulations of your country. We suggest that you consult the software provider directly for information regarding product availability and compliance with local laws.

About the author

David is a Content Analyst for the UK, providing key insights into tech, software and business trends for SMEs. Cardiff University graduate. He loves traveling, cooking and F1.

David is a Content Analyst for the UK, providing key insights into tech, software and business trends for SMEs. Cardiff University graduate. He loves traveling, cooking and F1.