Senior managers fumble security much more often than rank and file

Senior managers are the worst offenders of information security, because of a combination of job pressures, busy schedules and an attitude that they are above the rules, an expert says.

[Study: Companies are not as secure as they think]

A recent study by Stroz Friedberg, which specializes in digital forensics and risk management, found that almost nine in 10 senior managers regularly uploaded work files to a personal email or cloud account.

In addition, more than half had accidentally sent the wrong person sensitive information and had taken files with them after leaving a job. The percentages, 58 percent and 51 percent, respectively, were much higher than for general office workers.

The reason why senior management skirts the rules is twofold. First, they tend to be under a lot of pressure due to their busy schedules, so they often have no patience for security measures that add time, Eric Friedberg, co-founder and executive chairman of the firm, said. In addition, many managers, particularly in large organizations, travel a lot and often find themselves in countries or hotels where Internet access is subpar.

“They often can’t deal with the complexity and inconvenience of connecting to the corporate network through a secure channel (such as a virtual private network),” Friedberg said.

There are also those senior managers who feel they are above the rules. The chairman of a public company Stroz Friedberg worked with had his email tapped for six months, because he never changed his password.

“He just said, ‘I’m above it. Changing passwords is not for me,'” Friedberg said.

Inflated egos when it comes to security are more often found in companies in which security is not practiced and emphasized at the C-level.

“In a company where there’s not a pervasive culture of security emanating from the top of the organization, the top people believe that somehow their status exempts them from corporate policies,” Friedberg said.

Fact is, for a company to make good security practices a normal part of doing business, senior management has to abide by the same rules as everyone else.

“That culture of security comes from the top of the organization,” Friedberg said. “Managers and senior executives have to be active proponents and evangelical about security as part of the corporate culture.”

In regards to the high percentage of executives who use personal email to upload work files, Friedberg believed many did not understand the potential consequences.

If a legal problem arose, the content of those personal accounts could be subpoenaed, along with corporate email.

“They probably don’t realize that although they’re transferring things to their personal account for convenience, they’re really setting the groundwork for a litigation adversary or regulatory adversary to rummage through their personal email accounts looking for relevant corporate information,” Friedberg said.

[5 fixes to help CSOs stay ahead of risks]

The Stroz Friedberg study was based on an online survey of 764 U.S. information workers. KRC Research conducted the survey.

To get a realistic picture of American business, the proportions of small, medium and large businesses represented in the survey matched those of the U.S. Census Bureau.