Follow the leader: why are senior executives still not practising what they preach when it comes to cyber security?

Enterprises today have a lot to think about, and ensuring the privacy of customer and employee information has become a high priority. However, it’s also become clear that companies can't protect everything and organisations appear to be overlooking the security of their leadership team.

With the sharp rise in high-profile security breaches responsibility and accountability for cyber security should now be falling directly with the C-suite and senior level executives.

Unfortunately, managers are failing to protect their data according to a recent survey by Imation’s IronKey, which surveyed 500 IT professionals in the UK and Germany, to assess security practices among managers and employees when taking data outside the workplace.

Shockingly, over half of all respondents (55%) reported that a member of senior management in their organisation had lost a device. A similar number (51%) reported that a member of their senior management had a device stolen in a public place. The majority of these respondents said that these incidents had occurred within the last year.

> See also: Digital defenders: from security geek to c-suite superhero

Whilst IT departments have long been aware of the importance of keeping corporate data secure, protecting intellectual property from external attacks and, more importantly, insider threats, should be at the top of every organisation’s data protection strategy.

Practise what you preach

Worryingly, non-senior management employees are also failing at securing their data. A full two thirds of respondents said that non-senior management employees had lost devices at some point in the past, again with the majority pointing to incidents less than 12 months prior. These devices also contained sensitive data, posing a risk to intellectual property.

The reason likely being that senior management are not practicing what they preach when it comes to securing sensitive information, and they are not setting a good example for employees. Employees look to their leaders for education and instruction, and will happily imitate their actions.

An executive who doesn’t demonstrate best practice, nor provide their workforce with the necessary tools and information to keep their data secure, is in real danger of a data breach.

Not only that, but they will create a team of non-compliant and ill-informed employees, unsure about how to protect data within the organisation, or simply unaware that they need to protect it in the first place.

Data on the move

To make matters worse, mobile devices are increasingly being used to hold work-related data, particularly as more people work remotely. Securing data at rest is a challenge in itself, but managing data on the move brings a whole new set of challenges for the management of corporate data, and introduces the need for clear, comprehensive data security policies and employee education.

The survey found that of those companies that do have data security policies for remote working, or plan to implement them, the most common method of enforcement was password protection for files or devices. Less common was file encryption, which only 44% of respondents included as a policy.

Only 23% of companies have a policy to prevent employees copying files to USB sticks, and only 31% of companies prevented employees saving files on private devices.

Furthermore, less than three in 10 companies forbid the use of cloud storage not provided by the IT department, neither do companies (22%) have policies in place to prevent employees emailing sensitive corporate data to themselves via a private email address.

To properly guide employees, a policy should forbid all practices that may endanger company data, leaving a narrowly-defined set of options for securely taking it outside the workplace.

Policy and education

93% of respondents noted that lost or stolen devices had contained work-related data. 56% had confidential emails, and 42% had sensitive files or documents. Almost one in three (29%) had customer data, and a worrying 9% had login and password information, highlighting the severity and the imminent threat of a data breach.

The sheer volume of potential risks can seem overwhelming, so it is essential that senior management focus on the importance of data security threats, and present a prioritised plan of action for dealing with the risks.

> See also: C-suite take note: there's more to IT security than keeping you safe

They should then ensure they action the plan and present it to their employees in an easily digestible manner. The information should be broken down using business terms and analogies that easily drive the message home and do not inhibit productivity.

Implementing comprehensive endpoint data protection will provide the visibility and control of the data stored across employee devices, allowing IT to identify and rapidly respond to and remediate leaked data and security threats.

Equally, education of, and from, senior level executives is crucial to avoiding a data breach. C-Suite employees should not ignore security procedures and should be leading by example by employing and enforcing data protection across the board.

Creating an explicitly-defined set of rules for everyone to follow will make the data protection process a lot smoother.

Sourced from Nicholas Banks, Vice President EMEA and APAC, IronKey

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Security
IT Leadership