The online survey, conducted by KRC Research, questioned 764 information workers in the US across various industries. Among the findings, 87 percent of senior managers email work files to their personal emails or cloud accounts, significantly increasing the company’s information security risk.
"We didn't necessarily expect what we found, in terms of risks being more concentrated with senior members of organizations," said Eric Friedberg, co-founder and executive chairman of Stroz Friedberg in an interview.
People Will Be People
In Friedberg's opinion, the security bar raised by corporate enterprises is what's driving a lot of this risky behavior. "Increased security in general makes connecting to VPN, and adhering to corporate document transfer policies and protocols less convenient, so people are circumventing those using personal accounts and devices."
And yes, managers run up the risk because they tend to have more valuable information than lower ranking employees, but they also find themselves in situations conducive to cheating the system.
Consider a manager vacationing down in the Caribbean trying to prepare and participate in a conference call but the VPN will not connect to the hotel WiFi. He or she may call their secretary and asks to transfer the documents to their Gmail account. This unique instance may seems justifiable, but when results come back that over 80 percent of managers are transferring documents to their personal email and cloud accounts, there are huge risks.
Friedberg explains when employees are transferring things to personal account that means they are likely accessing both personal and work accounts from the same devices. "When you use a personal device you expose it to a lot of unapproved sites, and lots of malware resides on those sites. And it's not that anyone is doing inappropriate browsing, but the hackers are very smart." He gives the example of the day following Miley Cyrus's shocking VMA performance. Malware guys know everyone is looking at that video, so they upload a tremendous number of infected videos. If you are looking with a personal account you are much more likely to infect a work computer with malware than if you segregate work and personal life.
It may be a reality that it's hard to stop, but it does carry increased risks. The separation of work and personal is further complicated with the BYOD movement, and IT managers have to be aware that human behavior can rub up against corporate policy.
"The survey results just highlight how this blurring line between work and personal life is increasing risk, not withstanding companies spending a lot of money and attention to security of networks. To some degree they are encouraging activities that undercut that investment because they are essentially encouraging employees to use personal devices for work purposes."
While IT deals with issues around malware, the crossover of personal and corporate can be a compliance disaster.
"It's a nightmare because when you are doing litigation holds and collect documents relevant to the extent that all senior custodians might be using their personal emails for work purposes, it may be very hard to take the position that you don't have to collect and search those devices for litigation. And this is another downside to the BYOD policy, which is once the device becomes in scope for compliance purposes for regulatory matters, the users have to turn over devices and the corporate council must search the device for relevant items which creates privacy issues." This includes personal photos, e-mails, search history, and more.
"If 87 percent admit to transferring relevant data to personal accounts then corporate council are going to go to them and say we need to search Gmail your account. This may involve looking for a set of search terms including "subscription" but that could turn up a million things that are very personal. BYOD is an attractive cost savings, and probably here to say, but it does create these other risk factors."
The survey also found widespread cases of everyone's worst nightmare: 58 percent admitted to sending sensitive information to the wrong person. We can usually thank auto fill for those compromising communications. The reason this is more concentrated at the senior management level, Friedberg explains, is because they are so busy. "They have a million things going on. Often they are writing emails in taxis and trains and before the plane door is about to close so they get victimized more by the auto fill function, and I think that is generally the leading cause of sending materials to the wrong person."
Although there is protection for inadvertent disclosure at the end of most corporate communications you have to spend a lot of time showing it was actually inadvertent and irregular. "It's an issue if a large percent of people are doing this regularly. You are supposed to show some level of care, and if you can't show that you can't use the inadvertent disclosure defense."
Do Not Underestimate the Value of a Security Culture
For compliance officers now shaking in their seat, take heart in the knowledge financial services has shown more observance and commitment to following security guidance than other industries. Although senior managers are still creating more risk, Friedberg sees better results where companies have baked in security as matter of corporate culture.
Indeed, perhaps the most important finding of the survey demonstrates the power of a cultural attention to security, of which financial services is heavily focused. Although it falls outside the scope of the survey, Friedberg says his experience in the field shows financial services having among the best security protocols, resulting in less people transferring data to home computers and to their cloud accounts. After all, after years of compromising headlines financial managers understand that without protocols there is no business.
"Ownership of corporate security needs to come from the top," he adds. "Executives must understand they are to serve as examples. Security is sort of a collaborative undertaking that requires their leadership."