Senior Managers Are the Worst Information Security Offenders

An anonymous reader writes "As companies look for solutions to protect the integrity of their networks, data centers, and computer systems, an unexpected threat is lurking under the surface — senior management. According to a new survey, 87% of senior managers frequently or occasionally send work materials to a personal email or cloud account to work remotely, putting that information at a much higher risk of being breached. 58% of senior management reported having accidentally sent the wrong person sensitive information (PDF), compared to just 25% of workers overall."

Shocking...

[fuzzyfuzzyfungus]

Who would have thought that immunity from consequences would lead to carelessness?

Maybe

[Anonymous Coward]

58% of senior management reported having accidentally sent the wrong person sensitive information (PDF), compared to just 25% of workers overall."

Statistics like this are meaningless unless you know how often senior management is sending out information that requires filtering out sensitive information versus general workers. I would expect a CEO to send out more info than the mail clerk and hence a higher chance of sending out sensitive info.

Re:Seen it on the job:

[Ben4jammin]

It will be a revelation to senior management.

They will in fact need reports such as this to recognize the reality that all us IT workers have known for years. See, the fact that you don't understand that is why you are likely not in senior management :)

Sampling bias

[SirGarlon]

Senior managers *should* exchange a lot of communication with a lot of people. That creates more opportunities for a mistake. A rational policy would be for the people who most commonly transfer important information to have the best security tools and training.

But nah, let's not educate the executives on how to safely handle critical data, because they should know without being told and it feels so good to laugh at them when they make a mistake.

Re:Maybe

[SJHillman]

"Senior management" doesn't always equate to "paid millions". I work at a medium sized company, around 1000 employees, but of the 20 or so individuals that would qualify as "senior management", only two of them are "one-percenters", and neither of them is even close to a half million in salary. Sure, they're paid more than the rest of us but for most companies, the difference isn't nearly as vast as you seem to imagine it to be.

Re:Seen it on the job:

[Penguinisto]

Sad, but true.

I remember a CEO of a moderate-sized corp (!?) who didn't see the need for locking down his Blackberry.... until he lost it one night while out on the town. Took me all of five minutes to crawl out of bed and wipe/lock the device remotely via BES, but the funny part was that it took that incident (and a gentle explanation of why I wiped his device - he originally wanted me to "locate" it for him) before he figured out that security was more than just a buzzword that got in his way.

Re:Sampling bias

[Trepidity]

Trying to get them to follow any kind of IT policy is nearly futile as well. Many recognize the need for an IT policy in the abstract, and will be happy to sign off on something that the average worker has to follow, but they see themselves as a special case that needs more freedom to operate as they see fit.

Re:Seen it on the job:

[MickyTheIdiot]

So the moral of the story is we should all get together and set up a Gartner-like "consulting" firm where we make C*O's pay million dollar consulting fees and (unlike Gartner) they get the common-sense information they can get from any security text book since the C*Os will only listen to advice that they pay a bazillion dollars for. They are mentally incapable of listening to the smart IT guy in their department that they pay $40k a year.

Re:Seen it on the job:

[Anonymous Coward]

Good! Overly locked down IT systems are the cause of this issue. Every time an IT manager locks something down, someone has to find a work around to get their job done. The result, instead of going through a fairly controlled set of internal (but trusting of internal users) systems, the content just gets pushed to external systems as a work around, and a much bigger security issue appears.

Re:Seen it on the job:

[cusco]

I work in physical security. Executives are bad, but the absolute worst are doctors. There is a local hospital where the keypad code (1234) for the 'Doctors Entrance' hasn't changed in 23 years, because the doctors refuse to remember their own 4-digit code. Every attempt to change it has resulted in surgeons immediately marching into the executive offices and threatening to quit (really). Even an irate and armed ex-husband entering the hospital through that door didn't convince them. Getting them to use a key card is almost impossible unless they can have one card to leave in the Mercedes, another for the Porsche, and another in their desk that they can retrieve by tailgating into the building. /rant

Re:Seen it on the job:

[Sir or Madman]

And have their passwords on a sticky note attached to their monitor.

Then stop making up change our passwords every 2 months. We all know that doesn't work anyway.

Re: Seen it on the job:

[Bengie]

The value of money is relative to the cost of living. Keep your $100k/year job with $300k house and 3 hours commute. I'll stick with my lower paying job in a smaller town with a $100k house that is much larger than yours and 5 minute commute.

Re:Seen it on the job:

[Anonymous Coward]

>If a big-wig with a hefty 6 figure check messes up, it isn't the same story.

Oh, it's the same story all right, and the big-wig will BLAME IT ON YOU.

Seniority in management or age?

[140Mandak262Jamuna]

Most senior managers are also older than general population. At least some of them came of age before the PC era, mostly during e-mail era. The older folks really do not understand how computers work, or how the networks are secured or how much damage an intruder into their network can do. So we can blame at least part of the problem to their age, than management.

Also most senior managers have flunkies, sidekicks and general assistants who do most of the errands for them. Some of them are not capable of doing very simple things like booking all the things needed for a vacation package over the internet.

Add to this the sense of entitlement and belief that they are really really smart because otherwise how can you explain the free markets bestowing upon them huge salaries? They must be smart there is no other explanation in their mind. So they get really really careless.

Doctors...

[phorm]

I see your doctors and raise you... teachers (especially older teachers). Basically the attitude is "we're here to teach, not to learn" (or pay attention to some young whipper-snapper telling them how to use *their* equipment).

Re:Maybe

[KramberryKoncerto]

While it's often easier in certain ways than doing "real" work, it's also less of a leisure activity than it seems. One could be anxious that he didn't kiss enough asses, for example. I know I hate it.

For most people it's already troublesome to meet people all the time for business, especially when you don't always enjoy their company. A lot of these CEOs would rather spend time with their family, actual friends or perhaps mistresses. Some, though, can find themselves enjoy the act more than other work, while still treating it seriously and develop actual skills for it. Arguably we can say the same about coders who like to code.

Re:do yo u really think senior mgmt will read a bo

[rtb61]

Ego and arrogance got them their position at the top (all that corporate back stabbing, taking credit for other people's work and of course blaming anyone and everyone for executives own mistakes), so it is hardly surprising that the same attitude arising in the security decision making. Security if for the little people the nobodies, I pay you to make me secure, it's your fault, your fired, is senior managements normal attitude to security.