Forgot your password?
typodupeerror
Security Businesses

Senior Managers Are the Worst Information Security Offenders 181

Posted by Unknown Lamer
from the security-is-for-little-people dept.
An anonymous reader writes "As companies look for solutions to protect the integrity of their networks, data centers, and computer systems, an unexpected threat is lurking under the surface — senior management. According to a new survey, 87% of senior managers frequently or occasionally send work materials to a personal email or cloud account to work remotely, putting that information at a much higher risk of being breached. 58% of senior management reported having accidentally sent the wrong person sensitive information (PDF), compared to just 25% of workers overall."
This discussion has been archived. No new comments can be posted.

Senior Managers Are the Worst Information Security Offenders

Comments Filter:
  • Seen it on the job: (Score:5, Informative)

    by Hartree (191324) on Thursday January 09, 2014 @02:28PM (#45908803)

    This is supposed to be some great revelation?

    They're also the ones who can get security policy overridden so that something can be easy for them. Regardless of the problems.

    • by Ben4jammin (1233084) on Thursday January 09, 2014 @02:38PM (#45908961)
      It will be a revelation to senior management.

      They will in fact need reports such as this to recognize the reality that all us IT workers have known for years. See, the fact that you don't understand that is why you are likely not in senior management :)
      • by Penguinisto (415985) on Thursday January 09, 2014 @02:52PM (#45909167) Journal

        Sad, but true.

        I remember a CEO of a moderate-sized corp (!?) who didn't see the need for locking down his Blackberry.... until he lost it one night while out on the town. Took me all of five minutes to crawl out of bed and wipe/lock the device remotely via BES, but the funny part was that it took that incident (and a gentle explanation of why I wiped his device - he originally wanted me to "locate" it for him) before he figured out that security was more than just a buzzword that got in his way.

      • by MickyTheIdiot (1032226) on Thursday January 09, 2014 @03:06PM (#45909349) Homepage Journal

        So the moral of the story is we should all get together and set up a Gartner-like "consulting" firm where we make C*O's pay million dollar consulting fees and (unlike Gartner) they get the common-sense information they can get from any security text book since the C*Os will only listen to advice that they pay a bazillion dollars for. They are mentally incapable of listening to the smart IT guy in their department that they pay $40k a year.

        • what land is this you live in?

          No, seriously upper management has ALWAYS been the bane of anything IT related. Every boneheaded request, every response of "well, why can't I do that?" or "... it would just be easier for me that way..." always comes from senior management and no matter how many times you tell them why it has to be done a certain way, they just don't get it.

          • by rtb61 (674572) on Thursday January 09, 2014 @10:49PM (#45913613) Homepage

            Ego and arrogance got them their position at the top (all that corporate back stabbing, taking credit for other people's work and of course blaming anyone and everyone for executives own mistakes), so it is hardly surprising that the same attitude arising in the security decision making. Security if for the little people the nobodies, I pay you to make me secure, it's your fault, your fired, is senior managements normal attitude to security.

          • by dbIII (701233)
            Yes but people not in IT often can't imagine the possible consequences so this is news to them.

            It's creeping into popular culture though - a major plot point of one of the "Torchwood" mini series was a manager ignoring security and letting a temp use their login and password. Others in that office treated it as a normal situation.

            Reality is just like that in far too many places.
      • by multisync (218450)

        It will be a revelation to senior management.

        They will in fact need reports such as this to recognize the reality that all us IT workers have known for years.

        Yeah, right. Senior management will never read a report titled "Senior managers are the worst information security offenders" on a site called net-security.org, any more than they would read a report at motherjones.com about the disparity between the wages of regular employees and executives.

      • by whoever57 (658626) on Thursday January 09, 2014 @05:01PM (#45910833) Journal

        It will be a revelation to senior management.

        No, it won't. Senior managers are very often less intelligent than the people they oversee. What senior managers possess is greater (but misplaced) confidence in their own abilities and/or some level of sociopathy. These conditions lead to willful bindness of their own failings.

    • by Grey Geezer (2699315) on Thursday January 09, 2014 @02:53PM (#45909191)

      Yes, It's not just electronic communication either. A senior manager where my wife once worked wrote the code for the entry door keypad...on the keypad, because memorizing it (or writing it down on a piece of paper he would have to dig out of his pocket) was too much trouble. True story. (I'm sure you all have stories as bad or worse than this one.)

      • by cusco (717999) <brian@bixby.gmail@com> on Thursday January 09, 2014 @03:32PM (#45909717)

        I work in physical security. Executives are bad, but the absolute worst are doctors. There is a local hospital where the keypad code (1234) for the 'Doctors Entrance' hasn't changed in 23 years, because the doctors refuse to remember their own 4-digit code. Every attempt to change it has resulted in surgeons immediately marching into the executive offices and threatening to quit (really). Even an irate and armed ex-husband entering the hospital through that door didn't convince them. Getting them to use a key card is almost impossible unless they can have one card to leave in the Mercedes, another for the Porsche, and another in their desk that they can retrieve by tailgating into the building. /rant

        • Doctors... (Score:3, Insightful)

          by phorm (591458)

          I see your doctors and raise you... teachers (especially older teachers). Basically the attitude is "we're here to teach, not to learn" (or pay attention to some young whipper-snapper telling them how to use *their* equipment).

      • by Ben4jammin (1233084) on Thursday January 09, 2014 @03:33PM (#45909719)
        I once had to remove all the copy codes on all the copiers in the building because apparently the CFO was incapable of memorizing a 5 digit number...I wish I were making this up.
        • by aaarrrgggh (9205)

          It isn't a question of if they can or cannot remember a 5-digit number, they simply can't be bothered to remember it. Security has to be easy/transparent in order to work; it is just that executives have a lower pain threshold. Same net effect as making everyone change unique, secure passwords every week. They WILL end up on a post-it.

        • by slapout (93640) on Thursday January 09, 2014 @05:14PM (#45911001)

          So your saying the Financial Officer wasn't good with numbers?

        • by dbIII (701233)
          One amusing example I shamelessly exploited was a two digit code on the copier in a University engineering department. Eventually one hundred people had access so any two digit code worked.
    • by swschrad (312009) on Thursday January 09, 2014 @02:56PM (#45909221) Homepage Journal

      "I am the Senior Vice-Neutron for Intracorporation Multinational Reassignment! You must open port 23 at once so I can check my stocks!" who hasn't heard something like that?

      • by cusco (717999) <brian@bixby.gmail@com> on Thursday January 09, 2014 @03:47PM (#45909919)

        Having to unblock AOL so that the marketing exec could send/receive company documents to his personal email account was annoying. The subsequent flood of spam was the only thing that let my boss get away with blocking AOL again. The marketing exec was surprised at our reaction, he just thought that was the way email systems were supposed to be.

        This was the same idiot who needed his laptop reinstalled three times in four months when he installed the latest version of AOL's client software the same day it was released.

    • by asylumx (881307)
      They are also the employees who are more likely to be dealing with secure or private information, so it does stand to reason that they'd be more likely to accidentally share that information.
      • by AJH16 (940784)

        And they are also the ones more likely to be willing to admit it without fear of reprisal.

        • by jandrese (485)
          Also, they're not in as much danger of losing their jobs if they admit it.
    • The Sun is hot.
      Water is wet.
      Politicians lie.

      Film at 11.

    • by LVSlushdat (854194) on Thursday January 09, 2014 @03:48PM (#45909921)

      Have seen senior managers (CEO-level) saving their daily-to-do's emails in the TRASH!!

      Back in the 90s, the company I worked for at the time, was a Novell+Groupwise shop, and we discovered that the company CEO was saving important email to the Groupwise trash. Found this out when we did a trash purge over a weekend and come Monday morning, CEO's executive assistant was on the phone to support saying that the "big-boss" lost a LOT of important email... I was the foot-soldier on call that day, so I had to run down to his office, and investigate. I had to fight hard to keep from laughing out loud when the assistant (big-wig was out of the office, but assistant had big-wigs password(s)) showed me just WHERE the emails had been stored, after a lot of prodding and question-asking.. Since I knew there had been a Groupwise trash purge over the weekend, I knew exactly where the mail had gone, but hoping against hope that the Novell salvage had not been cleared yet, I called the desk admin, and fortuantly he was JUST getting ready to clear salvage.. I managed to stop him, and we were able to recover the big-wigs email.. Being I was the new-guy, there was NOOOOO way I was gonna tell the CEO and his assistant "you DO NOT PUT EMAIL YOU WANT TO KEEP IN THE TRASH!!!" .. I left that up to my big-boss, the CIO... Needless to say we had many chuckles at the next months team meeting...

      • Same thing has happened to me with saving mail in the trash, but luckily it wasn't a CEO and I could say don't do that. He still did it again later.

      • by dbIII (701233)

        Have seen senior managers (CEO-level) saving their daily-to-do's emails in the TRASH!!

        I had one of those too but not very high level. He ripped into me about his important stuff vanishing in the lunchroom in front of a lot of witnesses, most (including myself) who were trying not to laugh.

        Yet another reason for frequent, good and easily available backups.

    • They're also the ones who can get security policy overridden so that something can be easy for them. Regardless of the problems.

      That is why you develop "dashboard applications" for their computer or phone that gives them the overview that they want, it pre-empts them from asking for access to the actual data. The data can be accessed and summarized by the server side software that only send the summary info needed for graphics and labeling on the client app.

      • by tqk (413719)

        That is why you develop "dashboard applications" for their computer or phone that gives them the overview that they want ...

        ... And the ship runs into an iceberg floating by and sinks anyway since nobody thought to look out a porthole from time to time. I'm sure I've heard this one before.

      • by sjames (1099)

        Found one [ebaystatic.com]

  • Shocking... (Score:5, Insightful)

    by fuzzyfuzzyfungus (1223518) on Thursday January 09, 2014 @02:29PM (#45908831) Journal
    Who would have thought that immunity from consequences would lead to carelessness?
  • Maybe (Score:3, Insightful)

    by Anonymous Coward on Thursday January 09, 2014 @02:32PM (#45908885)

    58% of senior management reported having accidentally sent the wrong person sensitive information (PDF), compared to just 25% of workers overall."

    Statistics like this are meaningless unless you know how often senior management is sending out information that requires filtering out sensitive information versus general workers. I would expect a CEO to send out more info than the mail clerk and hence a higher chance of sending out sensitive info.

  • Sampling bias (Score:4, Insightful)

    by SirGarlon (845873) on Thursday January 09, 2014 @02:43PM (#45909041)

    Senior managers *should* exchange a lot of communication with a lot of people. That creates more opportunities for a mistake. A rational policy would be for the people who most commonly transfer important information to have the best security tools and training.

    But nah, let's not educate the executives on how to safely handle critical data, because they should know without being told and it feels so good to laugh at them when they make a mistake.

    • Who exactly is going to educate these executives? The people being talked about in this article generally outrank in the corporate hierarchy the people who teach everybody else to maintain information security, on pain of being fired.
    • Have you ever tried to educate a senior exec? Sure, there's a few good ones out there, but for the most part you may well try teaching a dead dog to fetch your slippers.

      • Re:Sampling bias (Score:5, Insightful)

        by Trepidity (597) <<gro.hsikcah> <ta> <todhsals-muiriled>> on Thursday January 09, 2014 @02:52PM (#45909173)

        Trying to get them to follow any kind of IT policy is nearly futile as well. Many recognize the need for an IT policy in the abstract, and will be happy to sign off on something that the average worker has to follow, but they see themselves as a special case that needs more freedom to operate as they see fit.

        • by Spazmania (174582)

          Some have simply given up on trying to force the general-case IT policy to be useful. They "solve" the usability problem for their specific case by ignoring IT and using outside tools over which IT has no control.

          "IT goon: Business comes first. We're here to support your business!"

          "Me Great! We build software systems based on open source, so our developers need access to github."

          "IT goon: Sorry, that's a file sharing site. Using it is against policy."

          'Me: You said business first. Our business uses open sour

      • by SirGarlon (845873)
        I don't report to senior executives, so no. But if I did, and they wouldn't listen to my ideas for how to minimize corporate espionage and massive data breaches, I would start looking for a new job where my professional skills were valued.
    • But nah, let's not educate the executives on how to safely handle critical data, because they should know without being told and it feels so good to laugh at them when they make a mistake.

      Yeah, I know - sarcasm... but educating a CxO isn't as hard as you think - the only real trick is to carve enough time out of them to do it.

      • I guess I have Sampling Bias too, but ever time I have tried to do this I have been accused of trying to hold the organization back. I have had a lot of bad mangers in my career I admit, and most of them equate their own convenience with "doing what is right for the organization."

    • Try to "educate" a "big picture" C*O guy on this and then re-edit your comment.

    • by msobkow (48369)

      "Let's not educate the executives?"

      Clearly you have never tried to "educate" an executive. Their inevitable response is "I need to do this", and to make you responsible for preventing the damage they risk and cause. It's the email administrator's fault that the email system let them send that financial report to the wrong people, dontcha know.

  • Senior management frequently consider themselves exempt from just about all company policies which apply to the lower ranks, it shouldn't be too surprising to find that IT security policy is among the ones they feel are below them.
  • Work is expected to get done over a weekend so I take it home.
    • So work hasn't assigned you a work laptop, or at the very least, given you a VPN so you can get into a secured network to get your files? Not even OWA or the other open source equivalents on the work network to email yourself at the work address instead of sending it to an unsecured third party email?
  • Need anything else be said?
  • Like sending AWS/rackspace management passwords in plain text by email. If you choose to drive drunk because you know better and kill someone is not an accident anymore.
  • You job as a security wank is to get the policies straight and give them to management to disseminate and get signatures on. Presumably, management has signed off on these just like everyone else. After that, it's mostly an HR problem.

  • by Solandri (704621) on Thursday January 09, 2014 @03:17PM (#45909519)
    A former boss of mine had a bad habit of hitting Reply instead of Compose when writing new emails. I noticed I'd get emails from her which were totally unrelated to the mail she'd hit Reply on. I warned her several times that that could be dangerous since hitting reply automatically includes the previous email(s) as a quote.

    Then one day it happened. She decided to send out a mass email to all staff, and composed it by hitting Reply on one of my emails. I got into work, checked my email, and did the biggest head-desk of my life. She had replied to one of my emails where we'd been discussing employee bonuses and pay raises, including extensive deliberation over what we were going to tell certain employees in their annual performance review. That lengthy discussion was quoted and got sent to the entire staff. Fortunately the damage wasn't as severe as it could have been - the four employees we'd discussed in the email thread were all good employees so most of our comments had been positive.

    On the up side, it broke her habit. She never composed a new email by hitting Reply again.
  • Maybe by other senior managers.

  • At my last job, upper management had different password strength requirements because they couldn't handle the normal ones designed to make them use secure passwords. Instead of 8 characters minimum with at least one capital letter, number and special character, they simply got away with 8 characters. Why? Because they complained enough, couldn't remember their passwords, and had the power to exempt themselves.
    • I call this the 'Executive Paradox'. At least on paper, the exec's time is extremely valuable. So if he is trying to bring up a presentation to say the Board of Directors (whose time is also extremely valuable) and has a password problem, a lot of extremely valuable time is wasted. So it is a lot riskier to impose security controls on senior managers than it is on lower level folks whose time isn't quite as valuable. The risk of a breach resulting from executive policy exceptions has to be weighed against t
  • From my experience they are also the biggest violators of porn , intentional breaking of assets to get a newer one, and keeping hardware on departure. When I was a DOD sysadmin all of our spillages (accidental classified material leakage) in a 10k person command were caused by O4's and above. Like the corporate world nothing happened except some long days and nights for the sysadmins to wipe all the systems, backups, and applications that touched the data. I sure if some lower enlisted person did it they w
  • by PPH (736903) on Thursday January 09, 2014 @05:19PM (#45911049)

    ... telling the top brass that they can't take their laptop home to play with. And hand over to the kid to play with. And let the kid download warez.

    When that thing comes back the next Monday morning, its been totally pwned by any number of evil doers.

  • by 140Mandak262Jamuna (970587) on Thursday January 09, 2014 @05:40PM (#45911265) Journal
    Most senior managers are also older than general population. At least some of them came of age before the PC era, mostly during e-mail era. The older folks really do not understand how computers work, or how the networks are secured or how much damage an intruder into their network can do. So we can blame at least part of the problem to their age, than management.

    Also most senior managers have flunkies, sidekicks and general assistants who do most of the errands for them. Some of them are not capable of doing very simple things like booking all the things needed for a vacation package over the internet.

    Add to this the sense of entitlement and belief that they are really really smart because otherwise how can you explain the free markets bestowing upon them huge salaries? They must be smart there is no other explanation in their mind. So they get really really careless.

I have ways of making money that you know nothing of. -- John D. Rockefeller

Working...