Lying in bed at 6:00am, I opened my work email just like I did on nearly every other weekday morning. An email from the sales director of one of my client’s vendors caught my eye, so I opened it. I stared at the email for a while, puzzled. It was a breakdown of the company’s current sales, projected sales and sales strategy for the upcoming quarter - why in the world did the sales director send me this, I thought. No, this is not a story I made up. This actually happened to me a few months ago, and while the mistake did no long-term damage to the company in question (I immediately notified the sales director and deleted the email), this situation represents a stark reality of today’s digital world - top decision makers often pose the largest risk to their companies and organizations, yet so often security and insider threat programs focus on lower-level personnel.
A 2013 online survey conducted by KRC Research demonstrates this point. Of the 764 employees polled, 58% of Senior Managers and Managers have accidentally sent the wrong person sensitive information (versus only 25% of workers overall). Additionally, 51% have taken files with them after leaving a job, double the amount of workers in lower-level positions. And the vast majority (87%) of Senior Managers and Managers regularly upload work files to a personal email or cloud account, primarily because taking their work computer home with them is too burdensome, or they simply prefer using their home computer. See the full report here.
What’s so different about managers?
To start, managers have access to the most sensitive company information. A misdirected email by a sales manager could do more damage than a misdirected email by a salesperson. But managers also are under more pressure to take their work home with them than the average employee. Ironically, their efforts to be more productive can cause more harm than good.
So how can organizations address this problem? Many experts will tell you to increase security training across the company, but if this were the silver bullet, wouldn’t we have stopped talking about the problem already? In reality, training can only go so far to support organizational risk management. Work takes over and employees will eventually defer to whatever behavior allows them to work most efficiently and effectively - especially managers. Organizations need solutions that address the root cause of the problem to achieve lasting results, and the first step is to perform a comprehensive risk assessment. For instance, instead of upping information security training requirements, why not put measures in place that ask employees to verify that they’d like to send an email to individuals outside of the company? Why not use a secure company cloud that allows managers to log in from home computers and complete their work within the cloud?
Every company and situation is different, so the above suggestions will not work across the board. However, the fact remains that top decision makers often pose a significant risk to security. It’s not enough for organizations to simply increase security training for these individuals. They need to identify the root cause of the problem, then dedicate the time and resources necessary to fix those problems.