Saturday, 11 January 2014 12:34

Worst offenders in IT security are senior managers


Over October and November 2013 KRC Research surveyed information workers in the United States with regards information security attitudes and practices. The resulting report by Stroz Friedberg reveals a privilege of rank – the worst offenders in IT security are senior managers.

Businesses worldwide must be conscious of information security threats. Stroz Friedberg commissioned a study into businesses in the United States which provides a rather bleak reality, namely those who have the highest access to valuable company information are the very people more likely to engage in risky behaviours.

This news may not come as a surprise to those who actually run the very information systems powering enterprises. I have dealt with managing directors who insist on using their ten-year old five-letter lower-case password everywhere because it is easier for them, never mind they had divulged this password to countless personal assistants and even IT folk. I have dealt with companies planning to implement tight web filtering where the executive team ensured they were exempt from the same rules that applied to the rank and file – so they could continue using their own personal webmail to send ‘confidential’ documents.

A positive result of the survey is workers who did not participate in high-risk behaviours attributed this to strict company policy. Yet, at the same time, it was senior managers within businesses who conceded to flaunting the policies – the very people with high levels of access to valuable company information.

According to Stroz Friedberg, an incredible 87% of senior managers admitted to uploading work files to their personal e-mail and cloud accounts. Of these, 37% state it is because they prefer to use their personal computer, and 14% say it is too much work to bring their work laptop home.

58% of senior managers admitted to having previously accidently emailed sensitive information to the wrong person, compared to 25% of workers overall. 51% of senior managers admitted to taking files with them after leaving a job, again compared to 25% of office workers in general.

What is the solution? I have dealt with companies who intended to implement strict USB and removable media controls, again with the senior managers fighting to ensure they were exempted. In these cases I have told them there is simply no point then. Who is most likely to take company secrets with them to their next job? The receptionist? Or the head of sales? If measures to protect against information leakage don’t apply to everyone then they are purposeless.

According to Stroz Friedberg education is lacking. Only 11% of workers who do not send work files through personal accounts are actually aware of the company policies against doing so – the other 89% don’t do it, but not because they know the policy.

37% of office workers stated they received mobile device security training, and 42% stated they received information sharing training. In other words, more than half of office workers in the United States have not been given any training in how to protect company information. This is something which will be more significant if the rumours of “bring your own device (BYOD) proliferation” is to take place.

Given the above results of the research, it is perhaps unsurprising then that 73% of all office workers also indicated they were concerned a hacker could steal personal information from their company’s information systems.

Who is to blame? 45% of senior leaders said they were responsible for protecting companies against cyber attack – meaning 55% did not believe the buck stopped with them. Fortunately for business leaders 54% of non-senior workers believe security is IT’s problem.

It is a grim and depressing reality. Over the last 10 or so years industrial environments have worked hard to push the message that personal workplace health and safety is everyone’s responsibility, and that rank-and-file workers cannot simply have the attitude that other people will keep them safe. Unfortunately, this same message has not been extended to information safety and security.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.



Recent Comments