One of the biggest problem with the US military is senior leadership needs cyber security awareness training so that DoD can adequately prevent breaches similar to the recent Joint Chiefs of Staff incident (emphasis added):
In fact the military does give security training a high priority, but as in many organizations, there are weak spots. One has to guess (since the JCS isn’t discussing the breach) that the Joint Chiefs followed a familiar pattern in which the guys at the top were too busy to get the security training everyone else got. The fact that they had to have an emergency training session on phishing after the breach points this out.
But what’s being overlooked even as the military fixes this problem is the similar issue at companies where the C-level executives are apparently immune from corporate security training requirements. They’re too busy, you see. Their time is too expensive to waste with training.
But in fact it’s the data held and used by the C-suite that’s likely the most critical to the success of the business. Even if the hackers can’t hack the cash registers, they can still hack the CEO’s email.
This is a blind spot in corporate governance if there ever was one. The authors of the Harvard Business Review article point this out. Unfortunately, I suspect the people who need it the most will also be too busy to read it.
I have been saying this all along, ever since my time with the US government. Admirals and Generals are the easiest targets because they receive the least amount of training, often times believe they are above the law, and rarely ever comprehend or are interested in the cyber security training they do attend.
Surely the attackers know this already and are actively exploiting the vulnerability.