The push to secure company data and networks has never been stronger, in part because the dangers are more prevalent than ever before. Data breaches have become all too common, and many businesses have paid the price for their lack of vigilance and security features. While many organisations are trying to step up their game in terms of security, much of the focus has been placed on the employees - their behaviors, their devices, even their attitudes. While making sure that workers at the lowest levels engage in security best practices, some of the biggest risks might not be coming from them. In fact, the men and women at the top of the company - the C-level executives - may be contributing to bigger security risks than anyone else, often without knowing it. As a consequence, IT personnel may be better served by focusing their attention on upper management.
While some may be shocked at the thought that top level executives are engaging in reckless behavior regarding security, many within upper management admit to doing just that. In a survey carried out by Stroz Friedberg, a stunning 87 percent of senior managers said they have uploaded files to their own personal accounts of cloud services, all in an effort to conduct business remotely. On the surface, this type of action may seem relatively harmless, but taking company data outside of the confines of a secured business network opens up the possibility that sensitive data could get leaked or outright stolen. Equally alarming is the prospect of using personal devices to open these potentially confidential files, effectively doing so outside the confines of IT’s jurisdiction. If an executive were to accidentally access malware on his or her smartphone, for example, that malware could then spread to the business network when they connect to it again.
Bring your own device
These possibilities have only become more apparent in the age of bring your own device (BYOD) policies. While many businesses should have security policies in place when adopting a BYOD program, some upper management workers may still use a personal device even when a BYOD policy isn’t in place. This is enough to cause more than a few headaches for the IT department as it becomes that much more difficult to police who is accessing which information at which time. It also makes it an extra challenge to practice proper data protection on devices that IT might not even know C-level executives have.
Appreciating the risks
Even in cases where upper management doesn’t engage in risky practices directly, they may still contribute to a risky environment by simply not taking security risks seriously. That’s not to say they don’t care about protecting company data, only that their viewpoints may be outdated and not fully grasp the always evolving risks that are out there. The security policies from just a few years ago aren’t enough to adequately protect today’s cloud services, converged infrastructure, and big data analytics tools. In this sense, executives’ inaction actually leads to the greater security risk.
Also worth noting are the security risks inherent when a top-level executive leaves the company for whatever reason. There are already plenty of examples of former executives being accused of stealing intellectual property and sensitive data upon their departure, so IT and other executives need to make it a priority to thoroughly review the recent activities of every departing employee, regardless of rank within the organisation. Reviewing confidentiality and IP agreements is also a step worth taking.
It’s a matter of understanding
When it comes to dealing with security risks from upper management, much of it leads to needing to convince them of the risks and to watch their own actions. This may require making the business case for better security, noting the potential losses if their inaction is continued. Demonstrating the impact that comes from lack of security is an absolute must for executives to take the issue seriously. C-level executives have access to the most sensitive company data, making it all the more important they understand the risks that are out there, as well as what they need to do to provide for better data protection.
Security in the Enterprise - Microsoft Virtual Academy
Enterprise Mobility Suite: Beyond "Bring your own device" - Microsoft Virtual Academy
Rick Delgado feels blessed to have had a successful career in the tech industry and has recently taken a step back to pursue his passion of writing. He's started doing freelance writing where he occasionally works with tech companies like Dell Computers. He enjoys writing about new technologies and how it can help us and our planet.