Senior managers fumble security much more often than rank and file

Senior managers are the worse offenders of information security, because of a combination of job pressures, busy schedules and an attitude that they are above the rules, an expert says.

Senior managers are the worse offenders of information security, because of a combination of job pressures, busy schedules and an attitude that they are above the rules, an expert says.

[Study: Companies are not as secure as they think]

A recent study by Sroz Friedberg, which specializes in digital forensics and risk management, found that almost nine in 10 senior managers regularly uploaded work files to a personal email or cloud account.

In addition, more than half had accidentally sent the wrong person sensitive information and had taken files with them after leaving a job. The percentages, 58 percent and 51 percent, respectively, were much higher than for general office workers.

The reason why senior management skirts the rules is twofold. First, they tend to be under a lot of pressure due to their busy schedules, so they often have no patience for security measures that add time, Eric Friedberg, co-founder and executive chairman of the firm, said. In addition, many managers, particularly in large organizations, travel a lot and often find themselves in countries or hotels where Internet access is subpar.

"They often can't deal with the complexity and inconvenience of connecting to the corporate network through a secure channel (such as a virtual private network)," Friedberg said.

There are also those senior managers who feel they are above the rules. The chairman of a public company Stroz Friedberg worked with had his email tapped for six months, because he never changed his password.

"He just said, 'I'm above it. Changing passwords is not for me,'" Friedberg said.

Inflated egos when it comes to security are more often found in companies in which security is not practiced and emphasized at the C-level.

"In a company where there's not a pervasive culture of security emanating from the top of the organization, the top people believe that somehow their status exempts them from corporate policies," Friedberg said.

Fact is, for a company to make good security practices a normal part of doing business, senior management has to abide by the same rules as everyone else.

"That culture of security comes from the top of the organization," Friedberg said. "Managers and senior executives have to be active proponents and evangelical about security as part of the corporate culture."

In regards to the high percentage of executives who use personal email to upload work files, Friedberg believed many did not understand the potential consequences.

If a legal problem arose, the content of those personal accounts could be subpoenaed, along with corporate email.

"They probably don't realize that although they're transferring things to their personal account for convenience, they're really setting the groundwork for a litigation adversary or regulatory adversary to rummage through their personal email accounts looking for relevant corporate information," Friedberg said.

[5 fixes to help CSOs stay ahead of risks]

The Stroz Friedberg study was based on an online survey of 764 U.S. information workers. KRC Research conducted the survey.

To get a realistic picture of American business, the proportions of small, medium and large businesses represented in the survey matched those of the U.S. Census Bureau.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts