Home opinion-and-analysis The-Wired-CIO CIO Trends Worst offenders in IT security are senior managers

Over October and November 2013 KRC Research surveyed information workers in the United States with regards information security attitudes and practices. The resulting report by Stroz Friedberg reveals a privilege of rank – the worst offenders in IT security are senior managers.

Businesses worldwide must be conscious of information security threats. Stroz Friedberg commissioned a study into businesses in the United States which provides a rather bleak reality, namely those who have the highest access to valuable company information are the very people more likely to engage in risky behaviours.

This news may not come as a surprise to those who actually run the very information systems powering enterprises. I have dealt with managing directors who insist on using their ten-year old five-letter lower-case password everywhere because it is easier for them, never mind they had divulged this password to countless personal assistants and even IT folk. I have dealt with companies planning to implement tight web filtering where the executive team ensured they were exempt from the same rules that applied to the rank and file – so they could continue using their own personal webmail to send ‘confidential’ documents.

A positive result of the survey is workers who did not participate in high-risk behaviours attributed this to strict company policy. Yet, at the same time, it was senior managers within businesses who conceded to flaunting the policies – the very people with high levels of access to valuable company information.

According to Stroz Friedberg, an incredible 87% of senior managers admitted to uploading work files to their personal e-mail and cloud accounts. Of these, 37% state it is because they prefer to use their personal computer, and 14% say it is too much work to bring their work laptop home.

58% of senior managers admitted to having previously accidently emailed sensitive information to the wrong person, compared to 25% of workers overall. 51% of senior managers admitted to taking files with them after leaving a job, again compared to 25% of office workers in general.

What is the solution? I have dealt with companies who intended to implement strict USB and removable media controls, again with the senior managers fighting to ensure they were exempted. In these cases I have told them there is simply no point then. Who is most likely to take company secrets with them to their next job? The receptionist? Or the head of sales? If measures to protect against information leakage don’t apply to everyone then they are purposeless.

According to Stroz Friedberg education is lacking. Only 11% of workers who do not send work files through personal accounts are actually aware of the company policies against doing so – the other 89% don’t do it, but not because they know the policy.

37% of office workers stated they received mobile device security training, and 42% stated they received information sharing training. In other words, more than half of office workers in the United States have not been given any training in how to protect company information. This is something which will be more significant if the rumours of “bring your own device (BYOD) proliferation” is to take place.

Given the above results of the research, it is perhaps unsurprising then that 73% of all office workers also indicated they were concerned a hacker could steal personal information from their company’s information systems.

Who is to blame? 45% of senior leaders said they were responsible for protecting companies against cyber attack – meaning 55% did not believe the buck stopped with them. Fortunately for business leaders 54% of non-senior workers believe security is IT’s problem.

It is a grim and depressing reality. Over the last 10 or so years industrial environments have worked hard to push the message that personal workplace health and safety is everyone’s responsibility, and that rank-and-file workers cannot simply have the attitude that other people will keep them safe. Unfortunately, this same message has not been extended to information safety and security.


With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

YOW! 2018 is a great place to network with the best and brightest software developers in Australia. You’ll be amazed by the great ideas (and perhaps great talent) you’ll take back to the office!

Register now for YOW! Conference

· Sydney 29-30 November
· Brisbane 3-4 December
· Melbourne 6-7 December

Register now for YOW! Workshops

· Sydney 27-28 November
· Melbourne 4-5 December



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.


Popular News




Sponsored News