Companies & Industries

The biggest security risk at your company could be your boss

Turns out companies leak from the top

I’ve written before about the proclivity of company executives to be involved in cases of corporate fraud, and now one American firm says it’s determined who is most at risk of leaking their companies’ private data or intellectual property.

It turns out the worst offenders are the ones with the most seniority.

A national survey recently conducted by Stroz Friedberg, an “intelligence and risk services” company, found that 87% of senior managers surveyed have put company information at risk by uploading emails or files to personal accounts or cloud services in order to work remotely—say, uploading a budget spreadsheet to their Dropbox account, or emailing a file to themselves so they can work on it at home. While senior managers do it most, the practice is endemic—nearly three-quarters of the office workers at all seniority levels surveyed said they do it as well:


(Infographic by Stroz Friedberg)

Stroz Friedberg argues that the tendency to send files to personal accounts, as well as the increasing prevalence of BYOD (or “bring your own device”) policies at companies puts this information at a heightened risk of theft.

As soon as personal and professional browsing habits co-mingle on a device that is used at both work and home, “you’re more than doubling the risk [of a security breach], because traditionally what people are browsing on their personal time is usually more susceptible to infection than work destinations,” says Stroz Friedberg co-founder and executive chairman Eric Friedberg.

The firm has seen many examples of malware crossing over from a personal account to a corporate system. One recent illustration is the use of fake FedEx or UPS confirmation emails by hackers. Those accustomed to online shopping might open the infected email on their personal device and unknowingly transfer the virus when they go to use the same device or email account at work.

“We have seen massive infections occur just from that exploit,” said Friedberg.

Not only were many of the executives in the Stroz Friedberg survey regularly using personal devices or accounts to do their work offsite, 58% of the senior management survey respondents said at one time or another they’d accidentally sent sensitive information to the wrong individual. Only a quarter of rank-and-file employees who took part in the survey said they’d done the same, leading Stroz Friedberg to conclude that executives are more likely to be the culprit of a security breach than those farther down the corporate ladder.

Executives aren’t just posing a threat to security breaches while they work for a company, either. Over half of the senior management survey participants admitted to saving emails, files and company materials, and taking this information with them to a new position at a different company.

Ironically, and despite the prevalence of BYOD, a large number of  respondents said they were concerned about their company’s ability to protect their personal information from hackers. Nearly three quarters of the respondents believe that a hacker could “easily” steal personal details, such as bank account and social insurance numbers, from their employer’s servers. The solution, suggests Stroz Freidberg, is to better train employees about the risks they pose to their company when they use a personal account instead of their corporate one. Corporate communication on the matter could also use some improvement.

Most importantly, said Friedberg, is the need for companies to hire IT professionals who have expertise in how to secure many different types of devices. If you’re going to allow employees to use iPhones, Samsung Galaxies, Windows phones and BlackBerry devices, “you have to have IT people that know how to secure all of those platforms,” Friedberg said.

“If you allow everything but only have the expertise in a few, you’re really raising your risk profile,” he added.

This is the first time that Stroz Friedberg has conducted this survey, which gathered feedback from 764 “information workers” in the U.S. between the end of October and beginning of November in 2013. The companies surveyed all had at least 20 employees, while the margin of error for the sample was plus or minus 3.54 percentage points, with a 95% confidence level.