To better train and prepare their company’s employees for cyber attacks, CISOs need to put themselves in the attackers’ shoes to anticipate their motives, means and actions.

In a KnowBe4 webinar last week, hacker turned pentesting professional Kevin Mitnick talked about real-life cases of human vulnerability that threat actors could exploit for their benefit and what companies can do to prevent these threats.

“Everybody needs to be a human firewall,” he said.

His main message was that building a security culture entails educating all employees: From executives and unit heads with privileged access, down to the frontliners and new hires.

Those from the C-suite, for instance, make great targets for attackers because of the amount of sensitive information they have access to, the authority they wield when they send instructions to staff – and their notions of their own invincibility.

“Executives may not take security awareness seriously because they think it is really not part of their jobs,” Mitnick said, adding that some CEOs use passwords that are very easy to crack, or use personal devices that don’t even have PINs.

He compared the cybersecurity risk among those in the C-suite to the physical security needed by heads of state or anybody in high authority.

Mitnick advised taking simple but important security measures such as setting up fraud alerts for bank transactions, veering away from patterns in using passwords, and using password management tools especially for those guarding privileged information.

“Once attackers get in, they have the keys of the kingdom, and it’s pretty much game over,” he said.

Global losses to business email compromise have exceeded $12 billion, Mitnick said. BEC usually takes the form of spoofed emails from the CEO, issuing instructions to make or redirect payments.

“The trick is to make employees feel that they are just doing their jobs.”

To avoid falling for such scams, employees need to have checklists to make sure the instructions are really coming from the person of authority.

Most vulnerable to these attacks are employees in the human resources department, Mitnick said, because they receive numerous files with attachments all the time. It is also very easy to pose as somebody from the IT unit and call up others in the organizations to log into illegitimate domains using their legitimate credentials.

Security professionals should ensure that not everybody in the company is allowed to receive files with macros, that there is a policy for verifying that those who issue instructions are who they claim to be, and that multi-factor authentication steps are in place.

All organizations should train their employees on possible channels that attackers can use to get into their systems, Mitnick said. Most of all, they should be trained to stop and think critically before doing anything that might compromise security.

Mitnick was joined in the webinar by Perry Carpenter, KnowBe4’s chief evangelist and strategy officer.