An executive security plan that doesn’t contain protection against social engineering is often to blame.