Tuesday, January 14, 2014

When Ego Gets in the Way: Infosec at the Top

So, I try to be pretty fair when it comes to information security issues. I mean, everyone’s human, right? Everyone makes mistakes. And often, for the average Joe in an office, mistakes are the result of poor security awareness training or a general lack of knowledge about the threats of social engineering, phishing, or the danger-of-the-week (you name it).

data security, information security, security awareness training
But then there are those folks that just let their egos get in the way of security. According to a recent study by Sroz Friedberg, senior managers may be the worst when it comes to protecting sensitive information.

Review these disturbing statistics:

  • 9 in ten senior managers upload work files to personal accounts 
  • 58% of the managers studied accidentally sent sensitive information to the wrong person. 
  • 51% took files containing sensitive information with them after leaving a job. 

The study goes on to suggest that people in management positions are more likely to flout the rules regarding information security because they’re under pressure, because they’re super busy—and because some have a serious attitude problem.



“In a company where there's not a pervasive culture of security emanating from the top of the organization, the top people believe that somehow their status exempts them from corporate policies," Friedberg said.

For example, the article quotes the chairman of one unnamed company with which Friedman worked, who didn’t change his password for six months because “I’m above it,” he says. “Changing passwords is not for me.”

Ugh. 

Evidently, this gentleman’s phone was tapped for six months because of his lazy security posture—and I say he made his own bed.

As a training and security consulting company, we spend most of our time developing courses and security awareness campaigns for those low on the totem pole. Training is for the folks in the call centers, those manning the front desk, or the ones on the ground floor, right?

Wrong.

Cubicle or corner office, six-figure salary or hourly wage, every single person in every single organization has the same responsibilities when it comes to security: follow the rules, protect every piece of sensitive information you touch, and actively pursue secure behaviors.

That’s why we have an entire course dedicated to managers and executives. Secure behavior has to start at the top and trickle down.

And here’s another thing to consider—managers, CEOs, and others in positions of power can be the golden goose during a social engineering attack. Think about it: who has the most access, the most power, and the least time to protect it all?

Want to impersonate someone on a phone call or conference call? Choose the individual who is always out of the office on business—the one whose voicemail says he’ll be out of the office for a month. 

What’s the fastest way to the most sensitive information in a company? Go through the accounts of the person who has unlimited access to every system—and who uses the same password for every one. 

Want to embarrass a big corporation? Demonstrate how easy it is to fool or outwit the powerful people at the top.

Really, when it comes right down to it, any manager who chooses to ignore security policy is poking giant holes in the expensive and time-consuming efforts to training everyone else.

He may as well start chucking money out the window. Someone will definitely be there to catch it.

More About Security Awareness