What CEOs are doing wrong with their cyber security

What CEOs are doing wrong with their cyber security

Way back in IT prehistory (2004), Michael Soden, then chief executive of the Bank of Ireland group, resigned after it was discovered that he had been visiting websites which were forbidden under company policy. While this story is probably all but forgotten by now, Code42’s 2018 Data exposure report, reveals that even today (almost) 15 years later, there is a significant level of “do as I say not as I do” behaviour from the current generation of CEOs.

Data theft is rampant

More than 70% of CEOs surveyed admitted that they had taken valuable intellectual property from a former employer, even though 78% of them agreed that ideas, in the form of intellectual property, are still the most precious asset in an enterprise.

Curiosity is a powerful force

A hefty 63% of CEOs admitted to clicking on a link they shouldn’t have (although this did include accidental clicks) and 59% of CEOs owned up to downloading software without getting clearance from corporate security.

Leaving aside the security risks in this, there is also the legal risk of having unlicensed software on corporate machines, with no less than 77% of CEOs acknowledging that their IT department would view this behaviour as a security risk.

Security can easily lose the battle with convenience

It is perhaps easier to forgive the 93% of CEOs who admit to keeping a copy of their work on a personal device. From an IT-security perspective, this is a dangerous security threat. In the 21st-century, however, while certain workers do have to be at desks on a fixed schedule, many managers are expected to demonstrate more flexibility and, hence, understandably often believe that they have the right to expect flexibility from their employer in return.

This feeling typically increases, the higher up the management scale you go. In short, even though the CEOs are, clearly, engaging in risky behaviour (which could have disastrous consequences for their company), there is still a very strong case for arguing that it is the job of IT to meet the needs of the business and those who run it. What most businesses need, above all, are skilled, engaged staff, which means that unless IT steps up and takes ownership of making flexible working a secure reality, it cannot complain if people work around its processes.

We know from the 2016 US presidential election campaign that “but her emails!” became a rallying cry for the Republicans. Even the woman hoping to run the most powerful country in the world was accessing emails in a less-than-secure way in order to manage her campaign and her activities, and we know that her opponent, the now-president, accesses social media in a similar way on a non-secure phone.

If people at that level of power are bypassing the most secure options in order to manage their online communications, we know that there needs to be improved provision of communication software on secure devices for everyone in a leadership position.

The lesson to take away

Possibly the single, biggest lesson to take away from this report is that it is vital for IT to engage with the business as a whole and to ensure that people understand the reasons behind IT security policies and what it could mean to them if these policies are broken.

Perhaps GDPR could provide some helpful motivation here as it consists of relatively clear instructions that put consumer privacy at the core of business policies. Mimicking this with other provision, such as employee privacy and business security, could lead to some really strong policies that protect businesses even when its staff – including the CEO – don’t get everything right.