This news may not come as a surprise to those who actually run the very information systems powering enterprises. I have dealt with managing directors who insist on using their ten-year old five-letter lower-case password everywhere because it is easier for them, never mind they had divulged this password to countless personal assistants and even IT folk. I have dealt with companies planning to implement tight web filtering where the executive team ensured they were exempt from the same rules that applied to the rank and file – so they could continue using their own personal webmail to send ‘confidential’ documents.
A positive result of the survey is workers who did not participate in high-risk behaviours attributed this to strict company policy. Yet, at the same time, it was senior managers within businesses who conceded to flaunting the policies – the very people with high levels of access to valuable company information.
According to Stroz Friedberg, an incredible 87% of senior managers admitted to uploading work files to their personal e-mail and cloud accounts. Of these, 37% state it is because they prefer to use their personal computer, and 14% say it is too much work to bring their work laptop home.
58% of senior managers admitted to having previously accidently emailed sensitive information to the wrong person, compared to 25% of workers overall. 51% of senior managers admitted to taking files with them after leaving a job, again compared to 25% of office workers in general.
What is the solution? I have dealt with companies who intended to implement strict USB and removable media controls, again with the senior managers fighting to ensure they were exempted. In these cases I have told them there is simply no point then. Who is most likely to take company secrets with them to their next job? The receptionist? Or the head of sales? If measures to protect against information leakage don’t apply to everyone then they are purposeless.
According to Stroz Friedberg education is lacking. Only 11% of workers who do not send work files through personal accounts are actually aware of the company policies against doing so – the other 89% don’t do it, but not because they know the policy.
37% of office workers stated they received mobile device security training, and 42% stated they received information sharing training. In other words, more than half of office workers in the United States have not been given any training in how to protect company information. This is something which will be more significant if the rumours of “bring your own device (BYOD) proliferation” is to take place.
Given the above results of the research, it is perhaps unsurprising then that 73% of all office workers also indicated they were concerned a hacker could steal personal information from their company’s information systems.
Who is to blame? 45% of senior leaders said they were responsible for protecting companies against cyber attack – meaning 55% did not believe the buck stopped with them. Fortunately for business leaders 54% of non-senior workers believe security is IT’s problem.
It is a grim and depressing reality. Over the last 10 or so years industrial environments have worked hard to push the message that personal workplace health and safety is everyone’s responsibility, and that rank-and-file workers cannot simply have the attitude that other people will keep them safe. Unfortunately, this same message has not been extended to information safety and security.