Stroz Friedberg, a risk-management consultancy, commissioned a survey [PDF] of information handling practices in businesses that concluded that senior managers are the greatest risk to information security within companies.

Though the conclusion is a convenient one for a company that specializes in information security to have drawn, I think it is credible. Senior management often sets "business-wide" policies that everyone except the policy-makers themselves are required to abide by. Everyone I know who's worked in corporate IT has horror stories about senior managers who refuse to adopt good password strategies, good email hygiene, etc.

More widely, the problem of leaders establishing "one rule for them, another for us," is an endemic one that cuts across several domains. When I was helping to kill the Broadcast Flag (a Hollywood-backed rule that would have required all technology companies to get movies studios to approve their hardware and software designs before putting them on sale), the studio reps were very careful to make sure that "professional tools" would be exempted from whatever onerous locks were put on the stuff the rest of us used.

And of course, many of them privately admitted that they used "region 0" DVD players that could play the movies they brought home from their trips abroad, even though these are nominally illegal and the studios claim to want them abolished. They also routinely used Handbrake and other illegal tools to rip DVDs, excusing it as not infringing when done by someone working for a studio.

Released by global investigations, intelligence, and risk services company Stroz Friedberg, the survey also found that 58% of senior management reported having accidentally sent the wrong person sensitive information, compared to just 25% of workers overall. Corporate managers also put their companies at risk of intellectual property loss if and when they depart the company. Fifty-one percent of senior management and 37% of mid-level management admit to taking job-related emails, files, or materials with them when they have left past employers. Only one-fifth of lower ranking employees have done so.





Senior managers are the worst information security offenders

(via /.)