For most organizations, it’s only natural to focus first on outside attackers when it comes to assessing cyberthreats and identifying necessary protections. Even when they consider insider threats, it’s typical for corporate executives to think primarily about lower and mid-level employees who may pose threats, be it through negligence, malice or greed.

Executives, however, can’t afford to ignore the fact that they, and their corporate peers, are often the source of cyberbreaches, be they inadvertent or intentional. And, because executives typically have privileged rights to access sensitive systems and data that lower-level employees may lack, the consequences of executive-linked breaches can be especially costly and damaging.

When it comes to intentional cybercrime, insiders were the main perpetrators 29% of the time over the past 24 months, according to PwC’s “Global Economic Crime Survey 2016: US Results.” Of the internal crimes reported, 53% were committed by middle management and 18% by senior management (up from just 4% in 2014).

If nothing else, these figures suggest that organizations must ensure – at a minimum – that safeguards against insider cyberthreats apply to all employees, from the C-suite down. Indeed, since the strongest security controls should be placed around the most sensitive and valuable data, the subset of employees with rights to access that data will typically receive even more scrutiny and face higher security hurdles than lower-level employees.

As is true of the overall insider threat, the majority of breaches tied to executives are due to their own carelessness or to the fact that they’ve been specifically targeted by outsiders. Clearly, if you’re a hacker or cybercriminal, you’d rather capture the CEO’s password and access rights than a company intern’s. That means that internal training about security best practices, like the security controls themselves, must include executive team members, and should emphasize their heightened vulnerability to being targeted for exploitation.

One example of such an exploit materialized in late 2014, when security research firm Kaspersky Lab publicized an attack dubbed “Darkhotel.” When corporate executives stayed in luxury hotels in Japan, Taiwan, China, Russia and other countries, hackers were gaining access to the executive’s computers when they connected to the hotels’ Wi-Fi networks. The hackers would trick the executives into downloading a seemingly legitimate software update or hotel “welcome package.” This download would infect the computer with a backdoor that could then be used to further infect the machines with key loggers, Trojans, and other forms of malware.

In short, when executives look for security vulnerabilities, they should start by looking in a mirror. C-suite occupants and other top-level managers can’t afford to remove themselves from the comprehensive security protocols and procedures that they mandate for their organizations. In some cases, the executives and their actions can make the difference between the success and failure of cyberbreach attacks.

Dwight Davis has reported on and analyzed computer and communications industry trends, technologies and strategies for more than 35 years. All opinions expressed are his own. AT&T has sponsored this blog post.