Stroz Friedberg survey says C-Suite executives rarely follow data security protocols, increasing data breach risks.
Maybe ‘tone at the top’ isn’t always a good thing. According to a new survey from Stroz Friedberg, On the Pulse: Information Security Risk in American Business, senior management can be a company's biggest cyber security threat.
The survey conducted by Stroz Friedberg and KRC Research, an independent research firm, found that 87 percent of senior managers said they frequently or occasionally send work materials to a personal email or cloud account to work remotely, increasing the odds of that information being breached. The survey also showed they are careless. Fifty-eight percent of senior management confessed to sending the wrong person sensitive information; among all workers, the figure was 25 percent.
Even worse, when corporate managers leave their companies, they take intellectual property with them. Fifty-one percent of senior-level management and 37 percent of mid-level management polled said they took job-related emails, files or materials with them when they left their last employers. Only one-fifth of lower ranking employees said they took information with them.
‘If executives aren't following protocols for cyber security, how can they expect more junior staff to do so?’ asks Ed Stroz, executive chairman of Stroz Friedberg, a provider of investigations, intelligence and risk services. ‘Senior management's behavior undermines a culture that says security is a necessity.’
One survey result that struck Stroz most was the admission by senior management that they are missing the mark when it comes to cyber security. They know that protecting their companies against cyber attacks lies squarely on their shoulders and those of the C-suite, but 52 percent of those surveyed said they are falling down on the job -- rating corporate America's ability to respond to cyber threats at a “C” grade level or lower.
That is an alarmingly poor self-assessment, but Stroz says that since it is honest one, there is hope.
‘With this level of honesty, this means that senior people are conscious of what they are doing,’ says Stroz. ‘The good news is that they are not deluded and are not thinking that they are more protected than they are. So that's a good starting point for change.’
Everyone doing their part
However, when it comes to cyber security, everyone must do their part, whether they want to or not, for the good of the company. Unfortunately, that hasn’t been the case.
Thirty-seven percent of those surveyed said they sent materials to a personal email account or uploaded materials to a personal cloud account because they have a preference for using their personal computer over their work computer. Another 14 percent said it was too much effort to bring their work laptop home with them.
‘When security is in place there is some inconvenience, but it should not be viewed as such,’ says Stroz. He points out that that some people complain that having to enter passwords is an impediment when they are busy.
Such attitudes will have to change if companies want to stay a step ahead of cyber criminals. ‘With all the breaches that have been in the media, the fact that so many say their preparation for a cyber attack is no better than a “C” is a call to action,’ says Stroz.
For starters, companies can increase and enhance their training. According to the survey, a lack of trainingis the main culprit to explain this ill-advised behavior. Only 35 percent of those surveyed reported receiving regular training on communications on mobile device security from their employer; 37 percent said they received training on social media use; and 42 percent of respondents reported receiving information sharing training.
Increasingly, employees are using their own devices at work, further creating security issues. Company policies must be clear about what is appropriate use and update their policies to include BYOD (Bring Your Own Device).
While corporate budgets may be tight, cyber security should be a priority. ‘Companies shouldn't look at protection as an expense, but an investment,’ says Stroz. ‘This is a compliance and risk management issue.’
Stroz puts the onus on corporate boards to drive home the importance of cyber security. ‘They should be leading the discussion with management. The board should be saying this is important and any board that isn't [saying that] isn't doing its job.’
The bottom line, says Stroz: ‘Everyone must be vigilant and leaders have to set the tone.’
