US study pinpoints major problems
By Antone Gonsalves | CSO
Senior managers routinely disregard information security protocols, because of a combination of job pressures, busy schedules and an attitude that they are above the rules, an expert says.
A recent study by Sroz Friedberg, which specialises in digital forensics and risk management, found that almost nine in 10 senior managers regularly uploaded work files to a personal email or cloud account.
In addition, more than half had accidentally sent the wrong person sensitive information and had taken files with them after leaving a job. The percentages, 58 percent and 51 percent, respectively, were much higher than for general office workers.
The reason why senior management skirts the rules is twofold. First, they tend to be under a lot of pressure due to their busy schedules, so they often have no patience for security measures that add time, Eric Friedberg, co-founder and executive chairman of the firm, said. In addition, many managers, particularly in large organisations, travel a lot and often find themselves in countries or hotels where Internet access is subpar.
“They often can’t deal with the complexity and inconvenience of connecting to the corporate network through a secure channel (such as a virtual private network),” Friedberg said.
There are also those senior managers who feel they are above the rules. The chairman of a public company Stroz Friedberg worked with had his email tapped for six months, because he never changed his password.
“He just said, ‘I’m above it. Changing passwords is not for me,'” Friedberg said.
Inflated egos when it comes to security are more often found in companies in which security is not practiced and emphasised at the C-level.
“In a company where there’s not a pervasive culture of security emanating from the top of the organisation, the top people believe that somehow their status exempts them from corporate policies,” Friedberg said.
Fact is, for a company to make good security practices a normal part of doing business, senior management has to abide by the same rules as everyone else.
“That culture of security comes from the top of the organisation,” Friedberg said. “Managers and senior executives have to be active proponents and evangelical about security as part of the corporate culture.”
In regards to the high percentage of executives who use personal email to upload work files, Friedberg believed many did not understand the potential consequences.
If a legal problem arose, the content of those personal accounts could be subpoenaed, along with corporate email.
“They probably don’t realise that although they’re transferring things to their personal account for convenience, they’re really setting the groundwork for a litigation adversary or regulatory adversary to rummage through their personal email accounts looking for relevant corporate information,” Friedberg said.
The Stroz Friedberg study was based on an online survey of 764 U.S. information workers. KRC Research conducted the survey.
To get a realistic picture of American business, the proportions of small, medium and large businesses represented in the survey matched those of the U.S. Census Bureau.