Senior Managers Are the Worst Information Security Offenders

← Back to Stories (view on slashdot.org)

Senior Managers Are the Worst Information Security Offenders

Posted by Unknown on Thursday January 9, 2014 @06:25AM from the security-is-for-little-people dept.

An anonymous reader writes "As companies look for solutions to protect the integrity of their networks, data centers, and computer systems, an unexpected threat is lurking under the surface — senior management. According to a new survey, 87% of senior managers frequently or occasionally send work materials to a personal email or cloud account to work remotely, putting that information at a much higher risk of being breached. 58% of senior management reported having accidentally sent the wrong person sensitive information (PDF), compared to just 25% of workers overall."

44 of 181 comments (clear)

Min score:

Reason:

Sort:

Seen it on the job: by Hartree · 2014-01-09 06:28 · Score: 5, Informative

This is supposed to be some great revelation?
They're also the ones who can get security policy overridden so that something can be easy for them. Regardless of the problems.
1. Re:Seen it on the job: by Ben4jammin · 2014-01-09 06:38 · Score: 5, Insightful
  
  It will be a revelation to senior management.
  
  They will in fact need reports such as this to recognize the reality that all us IT workers have known for years. See, the fact that you don't understand that is why you are likely not in senior management :)
2. Re:Seen it on the job: by Penguinisto · 2014-01-09 06:52 · Score: 5, Insightful
  
  Sad, but true.
  I remember a CEO of a moderate-sized corp (!?) who didn't see the need for locking down his Blackberry.... until he lost it one night while out on the town. Took me all of five minutes to crawl out of bed and wipe/lock the device remotely via BES, but the funny part was that it took that incident (and a gentle explanation of why I wiped his device - he originally wanted me to "locate" it for him) before he figured out that security was more than just a buzzword that got in his way.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
3. Re:Seen it on the job: by Grey+Geezer · 2014-01-09 06:53 · Score: 4, Funny
  
  Yes, It's not just electronic communication either. A senior manager where my wife once worked wrote the code for the entry door keypad...on the keypad, because memorizing it (or writing it down on a piece of paper he would have to dig out of his pocket) was too much trouble. True story. (I'm sure you all have stories as bad or worse than this one.)
  
  --
  The USA is only 4X older than me...perspective
4. Re:Seen it on the job: by MickyTheIdiot · 2014-01-09 07:06 · Score: 4, Insightful
  
  So the moral of the story is we should all get together and set up a Gartner-like "consulting" firm where we make C*O's pay million dollar consulting fees and (unlike Gartner) they get the common-sense information they can get from any security text book since the C*Os will only listen to advice that they pay a bazillion dollars for. They are mentally incapable of listening to the smart IT guy in their department that they pay $40k a year.
5. Re:Seen it on the job: by i+kan+reed · 2014-01-09 07:07 · Score: 2
  
  Regarding you're sig: if it's a UDP opinion, doesn't that mean you don't want anyone to acknowledge it?
6. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 07:12 · Score: 2, Insightful
  
  Good! Overly locked down IT systems are the cause of this issue. Every time an IT manager locks something down, someone has to find a work around to get their job done. The result, instead of going through a fairly controlled set of internal (but trusting of internal users) systems, the content just gets pushed to external systems as a work around, and a much bigger security issue appears.
7. Re:Seen it on the job: by Penguinisto · 2014-01-09 07:22 · Score: 4, Funny
  
  It means I don't particularly worry if anyone does or not. ;)
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
8. Re:Seen it on the job: by cusco · 2014-01-09 07:32 · Score: 5, Insightful
  
  I work in physical security. Executives are bad, but the absolute worst are doctors. There is a local hospital where the keypad code (1234) for the 'Doctors Entrance' hasn't changed in 23 years, because the doctors refuse to remember their own 4-digit code. Every attempt to change it has resulted in surgeons immediately marching into the executive offices and threatening to quit (really). Even an irate and armed ex-husband entering the hospital through that door didn't convince them. Getting them to use a key card is almost impossible unless they can have one card to leave in the Mercedes, another for the Porsche, and another in their desk that they can retrieve by tailgating into the building. /rant
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
9. Re:Seen it on the job: by Ben4jammin · 2014-01-09 07:33 · Score: 4, Interesting
  
  I once had to remove all the copy codes on all the copiers in the building because apparently the CFO was incapable of memorizing a 5 digit number...I wish I were making this up.
10. Re:Seen it on the job: by CthulhuDreamer · 2014-01-09 07:33 · Score: 4, Funny
  
  The CEO of a company I used to work for claimed the VPN was inconvenient, so he would basically sync our entire file server to his laptop every day - marketing, finance, development projects, the works. His laptops were also constantly being misplaced or stolen, so who know how many copies of everything we had are floating around out there. Every business trip was a major security breach in the making.
11. Re:Seen it on the job: by LVSlushdat · 2014-01-09 07:48 · Score: 3, Funny
  
  Have seen senior managers (CEO-level) saving their daily-to-do's emails in the TRASH!!
  Back in the 90s, the company I worked for at the time, was a Novell+Groupwise shop, and we discovered that the company CEO was saving important email to the Groupwise trash. Found this out when we did a trash purge over a weekend and come Monday morning, CEO's executive assistant was on the phone to support saying that the "big-boss" lost a LOT of important email... I was the foot-soldier on call that day, so I had to run down to his office, and investigate. I had to fight hard to keep from laughing out loud when the assistant (big-wig was out of the office, but assistant had big-wigs password(s)) showed me just WHERE the emails had been stored, after a lot of prodding and question-asking.. Since I knew there had been a Groupwise trash purge over the weekend, I knew exactly where the mail had gone, but hoping against hope that the Novell salvage had not been cleared yet, I called the desk admin, and fortuantly he was JUST getting ready to clear salvage.. I managed to stop him, and we were able to recover the big-wigs email.. Being I was the new-guy, there was NOOOOO way I was gonna tell the CEO and his assistant "you DO NOT PUT EMAIL YOU WANT TO KEEP IN THE TRASH!!!" .. I left that up to my big-boss, the CIO... Needless to say we had many chuckles at the next months team meeting...
  
  --
  THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
12. Re:Seen it on the job: by MickyTheIdiot · 2014-01-09 07:55 · Score: 3, Informative
  
  In Indiana an admin can be held legally responsible if their network isn't properly secure. I understand what you are saying here, but there are professional and sometimes legal reasons something is more secure than an exec wants.
  And while I agree you have your paranoid admins, most admins are struggling just to do basic security that no admin would consider controversial. Like someone else already said... there are many, many papertrails out there so that an admin can show that they attempted to do basic security but they couldn't do it because some big fish in a little pond wanted to be sure he could telnet in from bolivia.
13. Re:Seen it on the job: by MickyTheIdiot · 2014-01-09 08:12 · Score: 2
  
  Where do you live? You do realize that people live in the states between the two coasts, right? You can have a very sharp IT guy making $40k here and be doing okay.
  But, anyway, you missed the point by picking at example.
14. Re:Seen it on the job: by Sir+or+Madman · 2014-01-09 08:37 · Score: 3, Insightful
  
  And have their passwords on a sticky note attached to their monitor.
  Then stop making up change our passwords every 2 months. We all know that doesn't work anyway.
15. Re: Seen it on the job: by Bengie · 2014-01-09 08:44 · Score: 5, Insightful
  
  The value of money is relative to the cost of living. Keep your $100k/year job with $300k house and 3 hours commute. I'll stick with my lower paying job in a smaller town with a $100k house that is much larger than yours and 5 minute commute.
16. Re:Seen it on the job: by multisync · 2014-01-09 08:45 · Score: 2
  
  It will be a revelation to senior management.
  They will in fact need reports such as this to recognize the reality that all us IT workers have known for years.
  
  Yeah, right. Senior management will never read a report titled "Senior managers are the worst information security offenders" on a site called net-security.org, any more than they would read a report at motherjones.com about the disparity between the wages of regular employees and executives.
  
  --
  I don't care why you're posting AC
17. Re:Seen it on the job: by whoever57 · 2014-01-09 09:01 · Score: 4, Interesting
  
  It will be a revelation to senior management.
  
  No, it won't. Senior managers are very often less intelligent than the people they oversee. What senior managers possess is greater (but misplaced) confidence in their own abilities and/or some level of sociopathy. These conditions lead to willful bindness of their own failings.
  
  --
  The real "Libtards" are the Libertarians!
18. Re: Seen it on the job: by the+grace+of+R'hllor · 2014-01-09 09:08 · Score: 5, Funny
  
  Move to Detroit. I've seen free-standing houses for less than $5000 on some real estate sites. Plus it's in a colorful, lively neighborhood.
19. Re:Seen it on the job: by slapout · 2014-01-09 09:14 · Score: 3, Funny
  
  So your saying the Financial Officer wasn't good with numbers?
  
  --
  Coder's Stone: The programming language quick ref for iPad
20. Re:Seen it on the job: by jbolden · 2014-01-09 09:31 · Score: 2
  
  Companies aren't a line they are complex web of competing interests more like a society. Lots of people have enough authority to bypass or get special permission for security policies but don't have the power to change them for the whole company or fire the IT security manager.
21. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 09:34 · Score: 3, Insightful
  
  >If a big-wig with a hefty 6 figure check messes up, it isn't the same story.
  Oh, it's the same story all right, and the big-wig will BLAME IT ON YOU.
22. Re:Seen it on the job: by The+Wild+Norseman · 2014-01-09 22:23 · Score: 2
  
  Why is there even a code on the Doctor's enterance in the first place? The Doctor's have enough to be concerned with without someone elses technological "solution" getting in their way.
  Exactly. Doctors do not need a coded door; they just need a body of water to walk on.
  
  --
  "A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
Shocking... by fuzzyfuzzyfungus · 2014-01-09 06:29 · Score: 4, Insightful

Who would have thought that immunity from consequences would lead to carelessness?
Maybe by Anonymous Coward · 2014-01-09 06:32 · Score: 3, Insightful

58% of senior management reported having accidentally sent the wrong person sensitive information (PDF), compared to just 25% of workers overall."
Statistics like this are meaningless unless you know how often senior management is sending out information that requires filtering out sensitive information versus general workers. I would expect a CEO to send out more info than the mail clerk and hence a higher chance of sending out sensitive info.
1. Re:Maybe by SJHillman · 2014-01-09 06:47 · Score: 3, Insightful
  
  "Senior management" doesn't always equate to "paid millions". I work at a medium sized company, around 1000 employees, but of the 20 or so individuals that would qualify as "senior management", only two of them are "one-percenters", and neither of them is even close to a half million in salary. Sure, they're paid more than the rest of us but for most companies, the difference isn't nearly as vast as you seem to imagine it to be.
2. Re:Maybe by Penguinisto · 2014-01-09 06:58 · Score: 2
  
  Seriously? The average CEO salary is nowhere near "millions". You only find that kind of cheddar in the Fortune 500 companies, and even then you'd often have to count stock options into the total.
  Hell, in the last two companies I worked in, the School Board Superintendent of Portland, OR made more ($250k) than either of them (~$150k and $175k, respectively).
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
3. Re:Maybe by loufoque · 2014-01-09 07:28 · Score: 2
  
  A CEO typically does 80-hour weeks, and has a sufficiently good understanding of the product and the market that he managed to make a business with it.
  Do you seriously think that it's a problem that he's paid marginally more than his employees that do 40-hour weeks and don't directly contribute to bringing money inside the company?
4. Re:Maybe by jmcvetta · 2014-01-09 10:13 · Score: 2
  
  And going to "fancy dinners with clients" is about networking: keeping current clients happy and trying to get new ones. You know, to produce income?
  As said, it may well be quite valuable to the company. But it is nevertheless more similar to leisure than to labor.
5. Re:Maybe by KramberryKoncerto · 2014-01-09 14:22 · Score: 3, Insightful
  
  While it's often easier in certain ways than doing "real" work, it's also less of a leisure activity than it seems. One could be anxious that he didn't kiss enough asses, for example. I know I hate it.
  For most people it's already troublesome to meet people all the time for business, especially when you don't always enjoy their company. A lot of these CEOs would rather spend time with their family, actual friends or perhaps mistresses. Some, though, can find themselves enjoy the act more than other work, while still treating it seriously and develop actual skills for it. Arguably we can say the same about coders who like to code.
6. Re:Maybe by DeSigna · 2014-01-09 23:01 · Score: 2
  
  Getting a bit OT here, but I have not worked at a single company where the CEO/Managing Director/whatever did not work at least 2x the number of hours of practically everyone else.
  For my current boss, stock market dabbling is leisure. Wining and dining whiners and strategic customers can be fun but it means he doesn't get spend time with the wife or golfing or just chilling in front of the TV. He's in at 5am checking projections and talking with vendors/big customers, regularily leaves at 4pm to go to business and networking seminars until late at night, or is just in the office until 6-7pm.
  He's in his sixties, this is an established business that's been around for decades. Would you have the energy to build something like that from the ground up? I don't. He did. If he wants to relax a bit and drop the average back to a low 70-odd hours a week, good for him.
Sampling bias by SirGarlon · 2014-01-09 06:43 · Score: 3, Insightful

Senior managers *should* exchange a lot of communication with a lot of people. That creates more opportunities for a mistake. A rational policy would be for the people who most commonly transfer important information to have the best security tools and training.
But nah, let's not educate the executives on how to safely handle critical data, because they should know without being told and it feels so good to laugh at them when they make a mistake.

--
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
1. Re:Sampling bias by Attila+Dimedici · 2014-01-09 06:47 · Score: 2
  
  Who exactly is going to educate these executives? The people being talked about in this article generally outrank in the corporate hierarchy the people who teach everybody else to maintain information security, on pain of being fired.
  
  --
  The truth is that all men having power ought to be mistrusted. James Madison
2. Re:Sampling bias by Trepidity · 2014-01-09 06:52 · Score: 4, Insightful
  
  Trying to get them to follow any kind of IT policy is nearly futile as well. Many recognize the need for an IT policy in the abstract, and will be happy to sign off on something that the average worker has to follow, but they see themselves as a special case that needs more freedom to operate as they see fit.
  
  --
  10 PRINT CHR$(205.5+RND(1)); : GOTO 10
3. Re:Sampling bias by msobkow · 2014-01-09 07:17 · Score: 2
  
  "Let's not educate the executives?"
  Clearly you have never tried to "educate" an executive. Their inevitable response is "I need to do this", and to make you responsible for preventing the damage they risk and cause. It's the email administrator's fault that the email system let them send that financial report to the wrong people, dontcha know.
  
  --
  I do not fail; I succeed at finding out what does not work.
anybody on a Helldesk can testify to this by swschrad · 2014-01-09 06:56 · Score: 3, Funny

"I am the Senior Vice-Neutron for Intracorporation Multinational Reassignment! You must open port 23 at once so I can check my stocks!" who hasn't heard something like that?

--
if this is supposed to be a new economy, how come they still want my old fashioned money?
1. Re:anybody on a Helldesk can testify to this by cusco · 2014-01-09 07:47 · Score: 4, Informative
  
  Having to unblock AOL so that the marketing exec could send/receive company documents to his personal email account was annoying. The subsequent flood of spam was the only thing that let my boss get away with blocking AOL again. The marketing exec was surprised at our reaction, he just thought that was the way email systems were supposed to be.
  This was the same idiot who needed his laptop reinstalled three times in four months when he installed the latest version of AOL's client software the same day it was released.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Epic facepalm moments by Solandri · 2014-01-09 07:17 · Score: 4, Interesting

A former boss of mine had a bad habit of hitting Reply instead of Compose when writing new emails. I noticed I'd get emails from her which were totally unrelated to the mail she'd hit Reply on. I warned her several times that that could be dangerous since hitting reply automatically includes the previous email(s) as a quote.

Then one day it happened. She decided to send out a mass email to all staff, and composed it by hitting Reply on one of my emails. I got into work, checked my email, and did the biggest head-desk of my life. She had replied to one of my emails where we'd been discussing employee bonuses and pay raises, including extensive deliberation over what we were going to tell certain employees in their annual performance review. That lengthy discussion was quoted and got sent to the entire staff. Fortunately the damage wasn't as severe as it could have been - the four employees we'd discussed in the email thread were all good employees so most of our comments had been positive.

On the up side, it broke her habit. She never composed a new email by hitting Reply again.
do yo u really think senior mgmt will read a book? by logicassasin · 2014-01-09 09:13 · Score: 2

what land is this you live in?
No, seriously upper management has ALWAYS been the bane of anything IT related. Every boneheaded request, every response of "well, why can't I do that?" or "... it would just be easier for me that way..." always comes from senior management and no matter how many times you tell them why it has to be done a certain way, they just don't get it.

--
Fifty watts per channel, baby cakes.
Re:Upper management gets special treatment by jbmartin6 · 2014-01-09 09:14 · Score: 2

I call this the 'Executive Paradox'. At least on paper, the exec's time is extremely valuable. So if he is trying to bring up a presentation to say the Board of Directors (whose time is also extremely valuable) and has a password problem, a lot of extremely valuable time is wasted. So it is a lot riskier to impose security controls on senior managers than it is on lower level folks whose time isn't quite as valuable. The risk of a breach resulting from executive policy exceptions has to be weighed against the cost of any controls that result in wasted executive time.

--
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Just try ... by PPH · 2014-01-09 09:19 · Score: 2

... telling the top brass that they can't take their laptop home to play with. And hand over to the kid to play with. And let the kid download warez.
When that thing comes back the next Monday morning, its been totally pwned by any number of evil doers.

--
Have gnu, will travel.
Seniority in management or age? by 140Mandak262Jamuna · 2014-01-09 09:40 · Score: 3, Insightful

Most senior managers are also older than general population. At least some of them came of age before the PC era, mostly during e-mail era. The older folks really do not understand how computers work, or how the networks are secured or how much damage an intruder into their network can do. So we can blame at least part of the problem to their age, than management.
Also most senior managers have flunkies, sidekicks and general assistants who do most of the errands for them. Some of them are not capable of doing very simple things like booking all the things needed for a vacation package over the internet.
Add to this the sense of entitlement and belief that they are really really smart because otherwise how can you explain the free markets bestowing upon them huge salaries? They must be smart there is no other explanation in their mind. So they get really really careless.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Doctors... by phorm · 2014-01-09 11:19 · Score: 3, Insightful

I see your doctors and raise you... teachers (especially older teachers). Basically the attitude is "we're here to teach, not to learn" (or pay attention to some young whipper-snapper telling them how to use *their* equipment).
Re:do yo u really think senior mgmt will read a bo by rtb61 · 2014-01-09 14:49 · Score: 3, Insightful

Ego and arrogance got them their position at the top (all that corporate back stabbing, taking credit for other people's work and of course blaming anyone and everyone for executives own mistakes), so it is hardly surprising that the same attitude arising in the security decision making. Security if for the little people the nobodies, I pay you to make me secure, it's your fault, your fired, is senior managements normal attitude to security.

--
Chaos - everything, everywhere, everywhen