I’ll get this out of the way first, from a professional employment standpoint, absolutely. If you get an email from the CEO, then sure, anyone would expect you to pay more attention than normal. 

But, I’m talking strictly from a security standpoint. I’m sure we’ve all heard the stories about small companies where management feels they need domain admin access just because they are “the boss”.  When your IT department is two people, then you might not be able to help situations like that. 

This came to me the other day when my team was doing phishing testing and USB drops. First came the phishing, we targeted a few different departments and they were fair game. Typical stuff, HR and finance in this case. One campaign about benefits and another about due invoices, things people have been trained on and something that I would hope for a fairly low click rate and most of them reported to the help desk. 

This prompted a discussion on spear phishing a few of the executives. There is plenty of public data available on most of them that you could create an extremely convincing phishing email. But, we were told they might be upset if we did that. 

The same situation happened with USB drops. We could leave them anywhere, but putting them into an executive’s office was off limits. The strange part is that policy didn’t come from the executives themselves, but from the management below them who felt they would be upset. 

This brings up a problem, the people that might be most targeted are also the people exempt from training and testing, because the people below them fear the consequences of making the top level executives follow the same requirements of everyone else. They shouldn’t be exempt, they should get as much, if not more training, and testing than the standard user base. If an attacker is going to target you, especially if you’re a bigger target, then you shouldn’t get special treatment and a pass. 

/rant