Accountability at the Top – Can Executives be Trusted to Keep Data Secure?
Enterprises looking to secure their data have been making one fatal mistake for years – they’ve been operating under the misconception that senior managers are inherently trustworthy simply because of their rank.
System administrators typically give higher-ranking personnel greater scope to access and modify resources on their networks than their rank-and-file colleagues. There’s a reasonably well-founded logic to this – senior managers are more likely to require access to sensitive resources such as financial data and intellectual property to perform their job. They also have a greater stake in the company’s fortunes than lower-ranking employees; so presumably, they’re more likely to think about the implications of a data breach.
A study carried out by researchers Stroz Friedberg showed just how misplaced this trust is, undermining a model that’s been used for years. The company polled more than 750 people who used computers for work. The sample included both senior managers and rank-and-file employees, and the results show how wrong our assumptions about accountability at the top of the ladder have been.
Nine in Ten Senior Managers ‘Put Data at Risk’
According to Stroz Friedberg, nearly nine in ten senior managers either frequently or occasionally put corporate data at risk, with some 87 percent of respondents in this group admitting they had uploaded resources to personal email or cloud storage accounts to work from places other than their normal offices.
Equally shocking, more than half (58 percent) of senior managers said on at least one occasion, they had sent the wrong person sensitive information by mistake. By comparison, only one in four workers overall (25 percent) had committed the same error – showing higher-ranking personnel could actually be a bigger threat to your data than anyone else.
Finally, and perhaps most troublingly of all, Stroz Friedberg found managers weren’t just careless with their businesses’ assets – they also turned out to be more likely to exploit their access privileges. Some 51 percent of senior leaders and 37 percent of respondents from middle management admitted to having stolen a past employers’ intellectual property when they left a job, while only 20 percent of rank-and-file workers said the same.
“Insiders are by far the biggest risk to the security of a company’s sensitive information, whether it’s a careless executive or a disgruntled employee. When information is compromised, a company’s reputation, customer base, and share price may suffer,” commented Michael Patsalos-Fox, chief executive of Stroz Friedberg. “Our inaugural information security survey demonstrates that companies need to address high-risk security behaviors within the workplace at all levels with a proactive risk mitigation plan.”
How to Keep your Privileged Users in Check
How can you stop senior managers in your organization from putting sensitive data at risk?
One of the things the Stroz Friedberg study overlooks is that old-school network models don’t just put intellectual property at risk of loss or theft – they also overlook compliance standards.
Compliance auditors take issue with networks that give undue levels of privilege to certain users, whether they’re senior managers or system administrators. Regardless of how high-ranking members of staff are, they shouldn’t be given access to resources unless they need them for their jobs.
With this in mind, here are some ways you can address internal threats to your data.
- Make sure you have robust access controls. No one on your network should have universal access to everything – regardless of how high-ranking they are. To this end, you should look to implement context aware, dynamic access controls that take into consideration contextual parameters to make sure users are only able to access data, applications and resources pertinent to their jobs at the point of consumption.
- Use persistent encryption. As the Stroz Friedberg study showed, senior managers like the fact they can move files to cloud storage to work on them remotely. Unfortunately, this may render any encryption used by your servers or on premise applications, like SharePoint ineffective – unless it stays with the file. To ensure data stays protected, make sure whatever method you are using for encryption is persistent.
- Keep an eye on privileged users. Obviously, you can’t take privileged access away from senior managers because of the fear that they might abuse it. You can, however, comprehensively log and report everything they do, so any abuse can be uncovered in a timely manner.