Senior Managers Are the Worst Information Security Offenders

An anonymous reader writes "As companies look for solutions to protect the integrity of their networks, data centers, and computer systems, an unexpected threat is lurking under the surface — senior management. According to a new survey, 87% of senior managers frequently or occasionally send work materials to a personal email or cloud account to work remotely, putting that information at a much higher risk of being breached. 58% of senior management reported having accidentally sent the wrong person sensitive information (PDF), compared to just 25% of workers overall."

Seen it on the job:

[Hartree]

This is supposed to be some great revelation?

They're also the ones who can get security policy overridden so that something can be easy for them. Regardless of the problems.

Re:Seen it on the job:

[Ben4jammin]

It will be a revelation to senior management.

They will in fact need reports such as this to recognize the reality that all us IT workers have known for years. See, the fact that you don't understand that is why you are likely not in senior management :)

Re:Seen it on the job:

[Penguinisto]

Sad, but true.

I remember a CEO of a moderate-sized corp (!?) who didn't see the need for locking down his Blackberry.... until he lost it one night while out on the town. Took me all of five minutes to crawl out of bed and wipe/lock the device remotely via BES, but the funny part was that it took that incident (and a gentle explanation of why I wiped his device - he originally wanted me to "locate" it for him) before he figured out that security was more than just a buzzword that got in his way.

Re:

[i kan reed]

Regarding you're sig: if it's a UDP opinion, doesn't that mean you don't want anyone to acknowledge it?

Re:Seen it on the job:

[Penguinisto]

It means I don't particularly worry if anyone does or not. ;)

Re:Seen it on the job:

[MickyTheIdiot]

So the moral of the story is we should all get together and set up a Gartner-like "consulting" firm where we make C*O's pay million dollar consulting fees and (unlike Gartner) they get the common-sense information they can get from any security text book since the C*Os will only listen to advice that they pay a bazillion dollars for. They are mentally incapable of listening to the smart IT guy in their department that they pay $40k a year.

do yo u really think senior mgmt will read a book?

[logicassasin]

what land is this you live in?

No, seriously upper management has ALWAYS been the bane of anything IT related. Every boneheaded request, every response of "well, why can't I do that?" or "... it would just be easier for me that way..." always comes from senior management and no matter how many times you tell them why it has to be done a certain way, they just don't get it.

Re:do yo u really think senior mgmt will read a bo

[rtb61]

Ego and arrogance got them their position at the top (all that corporate back stabbing, taking credit for other people's work and of course blaming anyone and everyone for executives own mistakes), so it is hardly surprising that the same attitude arising in the security decision making. Security if for the little people the nobodies, I pay you to make me secure, it's your fault, your fired, is senior managements normal attitude to security.

Re:

[dbIII]

Yes but people not in IT often can't imagine the possible consequences so this is news to them.

It's creeping into popular culture though - a major plot point of one of the "Torchwood" mini series was a manager ignoring security and letting a temp use their login and password. Others in that office treated it as a normal situation.

Reality is just like that in far too many places.

Re:

[MickyTheIdiot]

Where do you live? You do realize that people live in the states between the two coasts, right? You can have a very sharp IT guy making $40k here and be doing okay.

But, anyway, you missed the point by picking at example.

Re: Seen it on the job:

[Bengie]

The value of money is relative to the cost of living. Keep your $100k/year job with $300k house and 3 hours commute. I'll stick with my lower paying job in a smaller town with a $100k house that is much larger than yours and 5 minute commute.

Re:

[multisync]

Keep your $100k/year job with $300k house and 3 hours commute

OT, but wow, they sell houses for $300k where you live? I would have trouble finding a one-bedroom condo for $300k in my neck of the woods.

Re: Seen it on the job:

[the grace of R'hllor]

Move to Detroit. I've seen free-standing houses for less than $5000 on some real estate sites. Plus it's in a colorful, lively neighborhood.

Re:

[Sedated2000]

I built a brand new 1850sqft house with all the bells and whistles (granite/hardwood floors) for less than 300K. I live in Hampton Roads, Virginia. My house isn't unusually cheap or expensive for what I got either, it's about middle of the road in price.

Re:

[jedidiah]

Less than 300K meaning $299,999.99.

Re:

[multisync]

It will be a revelation to senior management.

They will in fact need reports such as this to recognize the reality that all us IT workers have known for years.

Yeah, right. Senior management will never read a report titled "Senior managers are the worst information security offenders" on a site called net-security.org, any more than they would read a report at motherjones.com about the disparity between the wages of regular employees and executives.

Re:Seen it on the job:

[whoever57]

It will be a revelation to senior management.

No, it won't. Senior managers are very often less intelligent than the people they oversee. What senior managers possess is greater (but misplaced) confidence in their own abilities and/or some level of sociopathy. These conditions lead to willful bindness of their own failings.

Re:

[dcollins]

These words are all crystallized truth.

Re:Seen it on the job:

[Grey Geezer]

Yes, It's not just electronic communication either. A senior manager where my wife once worked wrote the code for the entry door keypad...on the keypad, because memorizing it (or writing it down on a piece of paper he would have to dig out of his pocket) was too much trouble. True story. (I'm sure you all have stories as bad or worse than this one.)

Re:Seen it on the job:

[cusco]

I work in physical security. Executives are bad, but the absolute worst are doctors. There is a local hospital where the keypad code (1234) for the 'Doctors Entrance' hasn't changed in 23 years, because the doctors refuse to remember their own 4-digit code. Every attempt to change it has resulted in surgeons immediately marching into the executive offices and threatening to quit (really). Even an irate and armed ex-husband entering the hospital through that door didn't convince them. Getting them to use a key card is almost impossible unless they can have one card to leave in the Mercedes, another for the Porsche, and another in their desk that they can retrieve by tailgating into the building. /rant

Doctors...

[phorm]

I see your doctors and raise you... teachers (especially older teachers). Basically the attitude is "we're here to teach, not to learn" (or pay attention to some young whipper-snapper telling them how to use *their* equipment).

Re:

[The Wild Norseman]

Why is there even a code on the Doctor's enterance in the first place? The Doctor's have enough to be concerned with without someone elses technological "solution" getting in their way.

Exactly. Doctors do not need a coded door; they just need a body of water to walk on.

Re:Seen it on the job:

[Ben4jammin]

I once had to remove all the copy codes on all the copiers in the building because apparently the CFO was incapable of memorizing a 5 digit number...I wish I were making this up.

Re:

[aaarrrgggh]

It isn't a question of if they can or cannot remember a 5-digit number, they simply can't be bothered to remember it. Security has to be easy/transparent in order to work; it is just that executives have a lower pain threshold. Same net effect as making everyone change unique, secure passwords every week. They WILL end up on a post-it.

Re:Seen it on the job:

[slapout]

So your saying the Financial Officer wasn't good with numbers?

Re:

[dbIII]

One amusing example I shamelessly exploited was a two digit code on the copier in a University engineering department. Eventually one hundred people had access so any two digit code worked.

anybody on a Helldesk can testify to this

[swschrad]

"I am the Senior Vice-Neutron for Intracorporation Multinational Reassignment! You must open port 23 at once so I can check my stocks!" who hasn't heard something like that?

Re:anybody on a Helldesk can testify to this

[cusco]

Having to unblock AOL so that the marketing exec could send/receive company documents to his personal email account was annoying. The subsequent flood of spam was the only thing that let my boss get away with blocking AOL again. The marketing exec was surprised at our reaction, he just thought that was the way email systems were supposed to be.

This was the same idiot who needed his laptop reinstalled three times in four months when he installed the latest version of AOL's client software the same day it was released.

Re:

[asylumx]

They are also the employees who are more likely to be dealing with secure or private information, so it does stand to reason that they'd be more likely to accidentally share that information.

Re:

[AJH16]

And they are also the ones more likely to be willing to admit it without fear of reprisal.

Re:

[jandrese]

Also, they're not in as much danger of losing their jobs if they admit it.

In other news...

[sconeu]

The Sun is hot.
Water is wet.
Politicians lie.

Film at 11.

Re:Seen it on the job:

[LVSlushdat]

Have seen senior managers (CEO-level) saving their daily-to-do's emails in the TRASH!!

Back in the 90s, the company I worked for at the time, was a Novell+Groupwise shop, and we discovered that the company CEO was saving important email to the Groupwise trash. Found this out when we did a trash purge over a weekend and come Monday morning, CEO's executive assistant was on the phone to support saying that the "big-boss" lost a LOT of important email... I was the foot-soldier on call that day, so I had to run down to his office, and investigate. I had to fight hard to keep from laughing out loud when the assistant (big-wig was out of the office, but assistant had big-wigs password(s)) showed me just WHERE the emails had been stored, after a lot of prodding and question-asking.. Since I knew there had been a Groupwise trash purge over the weekend, I knew exactly where the mail had gone, but hoping against hope that the Novell salvage had not been cleared yet, I called the desk admin, and fortuantly he was JUST getting ready to clear salvage.. I managed to stop him, and we were able to recover the big-wigs email.. Being I was the new-guy, there was NOOOOO way I was gonna tell the CEO and his assistant "you DO NOT PUT EMAIL YOU WANT TO KEEP IN THE TRASH!!!" .. I left that up to my big-boss, the CIO... Needless to say we had many chuckles at the next months team meeting...

Re:

[MickyTheIdiot]

Same thing has happened to me with saving mail in the trash, but luckily it wasn't a CEO and I could say don't do that. He still did it again later.

Re:

[dbIII]

Have seen senior managers (CEO-level) saving their daily-to-do's emails in the TRASH!!

I had one of those too but not very high level. He ripped into me about his important stuff vanishing in the lunchroom in front of a lot of witnesses, most (including myself) who were trying not to laugh.

Yet another reason for frequent, good and easily available backups.

Given them a dashboard app instead of access

[perpenso]

They're also the ones who can get security policy overridden so that something can be easy for them. Regardless of the problems.

That is why you develop "dashboard applications" for their computer or phone that gives them the overview that they want, it pre-empts them from asking for access to the actual data. The data can be accessed and summarized by the server side software that only send the summary info needed for graphics and labeling on the client app.

Re:

[tqk]

That is why you develop "dashboard applications" for their computer or phone that gives them the overview that they want ...

... And the ship runs into an iceberg floating by and sinks anyway since nobody thought to look out a porthole from time to time. I'm sure I've heard this one before.

Re:

[sjames]

Found one [ebaystatic.com]

Re:

[Anonymous Coward]

Good! Overly locked down IT systems are the cause of this issue. Every time an IT manager locks something down, someone has to find a work around to get their job done. The result, instead of going through a fairly controlled set of internal (but trusting of internal users) systems, the content just gets pushed to external systems as a work around, and a much bigger security issue appears.

^^^ This guy is a Senior Manager

[logicassasin]

I've heard some of that near verbatim from senior management whenever a new security measure is introduced.

Re:

[alen]

in some cases this is a real solution

imagine an apple employee working via VPN and downloading new code to their home computer and then share it to the world accidentally. or any company working on a new product. or hipaa data

in these cases there should be a virtual desktop solution or some application front end to do work. my wife has access to some outside of VPN apps to do work with HIPAA data

Re:Seen it on the job:

[CthulhuDreamer]

The CEO of a company I used to work for claimed the VPN was inconvenient, so he would basically sync our entire file server to his laptop every day - marketing, finance, development projects, the works. His laptops were also constantly being misplaced or stolen, so who know how many copies of everything we had are floating around out there. Every business trip was a major security breach in the making.

Re:Seen it on the job:

[MickyTheIdiot]

In Indiana an admin can be held legally responsible if their network isn't properly secure. I understand what you are saying here, but there are professional and sometimes legal reasons something is more secure than an exec wants.

And while I agree you have your paranoid admins, most admins are struggling just to do basic security that no admin would consider controversial. Like someone else already said... there are many, many papertrails out there so that an admin can show that they attempted to do basic security but they couldn't do it because some big fish in a little pond wanted to be sure he could telnet in from bolivia.

Re:

[Grishnakh]

Um, this seems wrong. If senior management doesn't like the way the IT manager is running things, then why are they letting him keep his job? If they're above him (i.e., they're his bosses), then they need to either follow his rules, or they need to fire him and replace him someone who does things they way they like.

Re:

[jbolden]

Companies aren't a line they are complex web of competing interests more like a society. Lots of people have enough authority to bypass or get special permission for security policies but don't have the power to change them for the whole company or fire the IT security manager.

Re:

[turbidostato]

"Lots of people have enough authority to bypass or get special permission for security policies but don't have the power to change them for the whole company or fire the IT security manager."

And a lot of times it's simply they *want* the 'statu quo': they want and enforce draconian security for the minions and exceptions for them, both because the draconian security model doesn't work at all, so they really need to bypass it, and because that way it's obvious they are top brass and the other people just min

Re:

[Sir or Madman]

And have their passwords on a sticky note attached to their monitor.

Then stop making up change our passwords every 2 months. We all know that doesn't work anyway.

Re:

[Anonymous Coward]

>If a big-wig with a hefty 6 figure check messes up, it isn't the same story.

Oh, it's the same story all right, and the big-wig will BLAME IT ON YOU.

Shocking...

[fuzzyfuzzyfungus]

Who would have thought that immunity from consequences would lead to carelessness?

Re:

[i kan reed]

[Insert generic dig at the financial industry here]

Re:

[bill_mcgonigle]

What, "incentives matter"? These days that's enough to get you labeled an anarchist.

Maybe

[Anonymous Coward]

58% of senior management reported having accidentally sent the wrong person sensitive information (PDF), compared to just 25% of workers overall."

Statistics like this are meaningless unless you know how often senior management is sending out information that requires filtering out sensitive information versus general workers. I would expect a CEO to send out more info than the mail clerk and hence a higher chance of sending out sensitive info.

Re:Maybe

[SJHillman]

"Senior management" doesn't always equate to "paid millions". I work at a medium sized company, around 1000 employees, but of the 20 or so individuals that would qualify as "senior management", only two of them are "one-percenters", and neither of them is even close to a half million in salary. Sure, they're paid more than the rest of us but for most companies, the difference isn't nearly as vast as you seem to imagine it to be.

Re:

[queazocotal]

Quite.
But - if the senior managers are dealing with 100* the sensitive material that a normal employee does - then their rate is very considerably better indeed.
They only need to deal with four times as much sensitive information to do twice as well.

Re:

[Spazmania]

They aren't paid more because of their caution.

Re:

[sjames]

In theory, yes. In practice, expect a toddler with a gun scenario.

Re:

[MickyTheIdiot]

No.. he just still believes the propaganda.

Re:

[Penguinisto]

Seriously? The average CEO salary is nowhere near "millions". You only find that kind of cheddar in the Fortune 500 companies, and even then you'd often have to count stock options into the total.

Hell, in the last two companies I worked in, the School Board Superintendent of Portland, OR made more ($250k) than either of them (~$150k and $175k, respectively).

Re:

[Grishnakh]

Here in New Jersey, all the school board superintendents make around $250k. What's really interesting is that just about every little town and municipality has its own, separate school board, so a typical "school district" probably only comprises 2 or 3 schools (elementary, middle, high school). Yet each one has its own superintendent and associated bureaucracy, with lots of administrators making huge salaries and getting generous retirement pensions. This is a big reason why the property taxes in this s

Re:

[dbIII]

That combined with all the cuts is starting to explain why children in Nigeria are starting to get a better grounding than a lot of children in the USA.

Re:

[afidel]

The median compensation for CEO's of publicly traded companies in 2011 was $9.6M source [huffingtonpost.com].

Re:

[Penguinisto]

Counting only publicly-traded companies is cherry-picking, me lad.

Re:

[afidel]

It's the only actual data available, only the IRS would have the information for privately held companies.

Re:

[loufoque]

For small-medium companies, the CEO is only paid 150k to 350k.

Re:

[MickyTheIdiot]

which is STILL more than the guy doing all the work.

Re:

[loufoque]

A CEO typically does 80-hour weeks, and has a sufficiently good understanding of the product and the market that he managed to make a business with it.
Do you seriously think that it's a problem that he's paid marginally more than his employees that do 40-hour weeks and don't directly contribute to bringing money inside the company?

Re:

[jmcvetta]

I call BS on the claim that CEOs typically work significantly longer hours than their employees. I've never once observed this first-hand at any company I have worked with. Also some CEO activities such as going to fancy dinners with clients, while perhaps important to the company, are closer to leisure than to work.

Re: Maybe

[loufoque]

Try funding your own company and you'll see.

Re:

[Pope]

They do, they're just not at the office, they're at home.

  And going to "fancy dinners with clients" is about networking: keeping current clients happy and trying to get new ones. You know, to produce income?

Re:

[jmcvetta]

And going to "fancy dinners with clients" is about networking: keeping current clients happy and trying to get new ones. You know, to produce income?

As said, it may well be quite valuable to the company. But it is nevertheless more similar to leisure than to labor.

Re:

[KramberryKoncerto]

While it's often easier in certain ways than doing "real" work, it's also less of a leisure activity than it seems. One could be anxious that he didn't kiss enough asses, for example. I know I hate it.

For most people it's already troublesome to meet people all the time for business, especially when you don't always enjoy their company. A lot of these CEOs would rather spend time with their family, actual friends or perhaps mistresses. Some, though, can find themselves enjoy the act more than other work, whi

Re:

[DeSigna]

Getting a bit OT here, but I have not worked at a single company where the CEO/Managing Director/whatever did not work at least 2x the number of hours of practically everyone else.

For my current boss, stock market dabbling is leisure. Wining and dining whiners and strategic customers can be fun but it means he doesn't get spend time with the wife or golfing or just chilling in front of the TV. He's in at 5am checking projections and talking with vendors/big customers, regularily leaves at 4pm to go to busin

Re:

[MickyTheIdiot]

Actually, I don't have a problem with a CEO getting paid marginally more, but the numbers of employees "not bringing money inside the company" tend to be a lot smaller than the executive-worshiping culture likes to admit. Plus I don't believe any employee is 300 times more valuable than any other, but then I am a dirty hippie, eh?

Sampling bias

[SirGarlon]

Senior managers *should* exchange a lot of communication with a lot of people. That creates more opportunities for a mistake. A rational policy would be for the people who most commonly transfer important information to have the best security tools and training.

But nah, let's not educate the executives on how to safely handle critical data, because they should know without being told and it feels so good to laugh at them when they make a mistake.

Re:

[Attila Dimedici]

Who exactly is going to educate these executives? The people being talked about in this article generally outrank in the corporate hierarchy the people who teach everybody else to maintain information security, on pain of being fired.

Re:

[SJHillman]

Have you ever tried to educate a senior exec? Sure, there's a few good ones out there, but for the most part you may well try teaching a dead dog to fetch your slippers.

Re:Sampling bias

[Trepidity]

Trying to get them to follow any kind of IT policy is nearly futile as well. Many recognize the need for an IT policy in the abstract, and will be happy to sign off on something that the average worker has to follow, but they see themselves as a special case that needs more freedom to operate as they see fit.

Re:

[Spazmania]

Some have simply given up on trying to force the general-case IT policy to be useful. They "solve" the usability problem for their specific case by ignoring IT and using outside tools over which IT has no control.

"IT goon: Business comes first. We're here to support your business!"

"Me Great! We build software systems based on open source, so our developers need access to github."

"IT goon: Sorry, that's a file sharing site. Using it is against policy."

'Me: You said business first. Our business uses open sour

Re:

[SirGarlon]

I don't report to senior executives, so no. But if I did, and they wouldn't listen to my ideas for how to minimize corporate espionage and massive data breaches, I would start looking for a new job where my professional skills were valued.

Re:

[Penguinisto]

But nah, let's not educate the executives on how to safely handle critical data, because they should know without being told and it feels so good to laugh at them when they make a mistake.

Yeah, I know - sarcasm... but educating a CxO isn't as hard as you think - the only real trick is to carve enough time out of them to do it.

Re:

[MickyTheIdiot]

I guess I have Sampling Bias too, but ever time I have tried to do this I have been accused of trying to hold the organization back. I have had a lot of bad mangers in my career I admit, and most of them equate their own convenience with "doing what is right for the organization."

Re:

[MickyTheIdiot]

Try to "educate" a "big picture" C*O guy on this and then re-edit your comment.

Re:

[msobkow]

"Let's not educate the executives?"

Clearly you have never tried to "educate" an executive. Their inevitable response is "I need to do this", and to make you responsible for preventing the damage they risk and cause. It's the email administrator's fault that the email system let them send that financial report to the wrong people, dontcha know.

Why is this surprising?

[megla]

Senior management frequently consider themselves exempt from just about all company policies which apply to the lower ranks, it shouldn't be too surprising to find that IT security policy is among the ones they feel are below them.

I'm guilty of this and I'm not even senior.

[ip_freely_2000]

Work is expected to get done over a weekend so I take it home.

Re:

[sandytaru]

So work hasn't assigned you a work laptop, or at the very least, given you a VPN so you can get into a secured network to get your files? Not even OWA or the other open source equivalents on the work network to email yourself at the work address instead of sending it to an unsecured third party email?

"Ram it through"

[chispito]

Need anything else be said?

"Accidentally"

[gmuslera]

Like sending AWS/rackspace management passwords in plain text by email. If you choose to drive drunk because you know better and kill someone is not an accident anymore.

So, your company has no AUP?

[sl4shd0rk]

You job as a security wank is to get the policies straight and give them to management to disseminate and get signatures on. Presumably, management has signed off on these just like everyone else. After that, it's mostly an HR problem.

Epic facepalm moments

[Solandri]

A former boss of mine had a bad habit of hitting Reply instead of Compose when writing new emails. I noticed I'd get emails from her which were totally unrelated to the mail she'd hit Reply on. I warned her several times that that could be dangerous since hitting reply automatically includes the previous email(s) as a quote.

Then one day it happened. She decided to send out a mass email to all staff, and composed it by hitting Reply on one of my emails. I got into work, checked my email, and did the biggest head-desk of my life. She had replied to one of my emails where we'd been discussing employee bonuses and pay raises, including extensive deliberation over what we were going to tell certain employees in their annual performance review. That lengthy discussion was quoted and got sent to the entire staff. Fortunately the damage wasn't as severe as it could have been - the four employees we'd discussed in the email thread were all good employees so most of our comments had been positive.

On the up side, it broke her habit. She never composed a new email by hitting Reply again.

Re:

[140Mandak262Jamuna]

Nah, even gmail hides all the previous thread under a tiny icon that has three dots.

"Unexpected"?

[grasshoppa]

Maybe by other senior managers.

Upper management gets special treatment

[GodBlessTexas]

At my last job, upper management had different password strength requirements because they couldn't handle the normal ones designed to make them use secure passwords. Instead of 8 characters minimum with at least one capital letter, number and special character, they simply got away with 8 characters. Why? Because they complained enough, couldn't remember their passwords, and had the power to exempt themselves.

Re:

[jbmartin6]

I call this the 'Executive Paradox'. At least on paper, the exec's time is extremely valuable. So if he is trying to bring up a presentation to say the Board of Directors (whose time is also extremely valuable) and has a password problem, a lot of extremely valuable time is wasted. So it is a lot riskier to impose security controls on senior managers than it is on lower level folks whose time isn't quite as valuable. The risk of a breach resulting from executive policy exceptions has to be weighed against t

And more

[jasper160]

From my experience they are also the biggest violators of porn , intentional breaking of assets to get a newer one, and keeping hardware on departure. When I was a DOD sysadmin all of our spillages (accidental classified material leakage) in a 10k person command were caused by O4's and above. Like the corporate world nothing happened except some long days and nights for the sysadmins to wipe all the systems, backups, and applications that touched the data. I sure if some lower enlisted person did it they w

Just try ...

[PPH]

... telling the top brass that they can't take their laptop home to play with. And hand over to the kid to play with. And let the kid download warez.

When that thing comes back the next Monday morning, its been totally pwned by any number of evil doers.

Seniority in management or age?

[140Mandak262Jamuna]

Most senior managers are also older than general population. At least some of them came of age before the PC era, mostly during e-mail era. The older folks really do not understand how computers work, or how the networks are secured or how much damage an intruder into their network can do. So we can blame at least part of the problem to their age, than management.

Also most senior managers have flunkies, sidekicks and general assistants who do most of the errands for them. Some of them are not capable of doing very simple things like booking all the things needed for a vacation package over the internet.

Add to this the sense of entitlement and belief that they are really really smart because otherwise how can you explain the free markets bestowing upon them huge salaries? They must be smart there is no other explanation in their mind. So they get really really careless.

Re:

[MickyTheIdiot]

goo goo g'joob

Re:

[tqk]

Coo coo cachoo, surely.

Re:

[Spiked_Three]

Back then, didn't have to lie about it. People where more interested in what you knew, as opposed to how much money you paid for a piece of paper. But yeah, it was right around the time that was changing, so maybe that's it.