When an internal information breach happens, the perception may be it’s the fault of lower-level staff ; yet senior managers, who have access to sensitive, unencrypted information, are often more likely to accidentally share information outside the boundaries of a company’s firewall.
Fifty-eight percent of senior managers have accidentally shared information with the wrong person, according to a survey of 764 information workers by computer forensics firm Stroz Friedberg. In addition, 87 percent of senior managers send work materials to a personal email or cloud storage account, putting company information at a much higher risk of being accessed or stolen.
When senior managers aren’t following their own policies, it sets a dangerous tone. In fact, more than 60 percent of the Stroz Friedberg survey respondents gave their company’s information-security preparedness a grade of “C,” according to the survey.
“If you have security standards and security controls, you can’t have senior people that handle the most sensitive information engaging in practices that are knowingly unsafe,” says Ed Stroz, executive chairman at Stroz Friedberg.
Joel Lanz, principal of his own technology risk management company, agrees. “If [C-level] executives don’t believe customer protection is important, people below them won’t believe it’s important,” he says. If a company has a strict culture of security and the senior people are disregarding the policies by using unapproved web- or cloud-based applications, “then it makes the whole function of [of cyber security] a joke,” Stroz says, and “that’s hugely destructive.”
Employees often are unaware of the consequences of their actions when they send documents to a personal email account, access company data over a coffee house’s unencrypted WiFi network or exchange information by way of a USB device, explains Dan Schroeder, partner-in-charge of information assurance and risk management at Habif, Arogeti & Wynne.
With companies encouraging a “Bring Your Own Device” strategy, corporations need to be stricter about those policies, including what apps and websites employees are allowed to use and access on smartphones and tablets, Stroz says.
For example, if a company uses Microsoft Outlook email, on the backend IT should be able to control the way information is accessed on mobile devices. Stroz suggests using mobile security software, such as Good, that allows companies to limit where data can go and how it’s accessed.
Fixing the problem
The first step is risk analysis followed by risk awareness, Schroeder says. Training sessions that teach employees what is sensitive information, what is personal information and what is confidential information will make workers more conscious of cyber security.
Getting managers and workers to stick to the policies is another matter. Part of the reason information security may not be enforced is that companies often aren’t clear about who owns the risk. According to the Stroz Friedberg survey, 45 percent of respondents said they themselves, as senior managers, are responsible for protecting their data against cyber attacks, while 54 percent of lower-ranking employees said that it’s an IT problem.
Cyber security is a business problem first and foremost, says experts, and in many companies, it’s the CFO who should be invested in the level of IT security and the IT department’s approach to security issues. But a CFO and an IT department often speak a different language.
Instead of focusing on what the CFO cares about — risk and reward —security people tend to present an “all-or-nothing solution,” says Lanz. Yet, CFOs need to highlight their communications skills. Part of their job is translating jargon into easily digestible terms. As long as CFOs ask the right questions to IT professionals, they’ll be able to work with them to address cyber security as a business issue.