Senior managers are the worse offenders of information security, because of a combination of job pressures, busy schedules and an attitude that they are above the rules, an expert says.
A recent study by Sroz Friedberg, which specializes in digital forensics and risk management, found that almost nine in 10 senior managers regularly uploaded work files to a personal email or cloud account.
In addition, more than half had accidentally sent the wrong person sensitive information and had taken files with them after leaving a job. The percentages, 58 percent and 51 percent, respectively, were much higher than for general office workers.
The reason why senior management skirts the rules is twofold. First, they tend to be under a lot of pressure due to their busy schedules, so they often have no patience for security measures that add time, Eric Friedberg, co-founder and executive chairman of the firm, said. In addition, many managers, particularly in large organizations, travel a lot and often find themselves in countries or hotels where Internet access is subpar.
"They often can't deal with the complexity and inconvenience of connecting to the corporate network through a secure channel (such as a virtual private network)," Friedberg said.
There are also those senior managers who feel they are above the rules. The chairman of a public company Stroz Friedberg worked with had his email tapped for six months, because he never changed his password.
"He just said, 'I'm above it. Changing passwords is not for me,'" Friedberg said.
Inflated egos when it comes to security are more often found in companies in which security is not practiced and emphasized at the C-level.
"In a company where there's not a pervasive culture of security emanating from the top of the organization, the top people believe that somehow their status exempts them from corporate policies," Friedberg said.
Fact is, for a company to make good security practices a normal part of doing business, senior management has to abide by the same rules as everyone else.
"That culture of security comes from the top of the organization," Friedberg said. "Managers and senior executives have to be active proponents and evangelical about security as part of the corporate culture."
In regards to the high percentage of executives who use personal email to upload work files, Friedberg believed many did not understand the potential consequences.
If a legal problem arose, the content of those personal accounts could be subpoenaed, along with corporate email.
"They probably don't realize that although they're transferring things to their personal account for convenience, they're really setting the groundwork for a litigation adversary or regulatory adversary to rummage through their personal email accounts looking for relevant corporate information," Friedberg said.
Sign up for CIO Asia eNewsletters.