×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Senior Managers Are the Worst Information Security Offenders

Unknown Lamer posted about 3 months ago | from the security-is-for-little-people dept.

Security 181

An anonymous reader writes "As companies look for solutions to protect the integrity of their networks, data centers, and computer systems, an unexpected threat is lurking under the surface — senior management. According to a new survey, 87% of senior managers frequently or occasionally send work materials to a personal email or cloud account to work remotely, putting that information at a much higher risk of being breached. 58% of senior management reported having accidentally sent the wrong person sensitive information (PDF), compared to just 25% of workers overall."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

181 comments

Seen it on the job: (5, Informative)

Hartree (191324) | about 3 months ago | (#45908803)

This is supposed to be some great revelation?

They're also the ones who can get security policy overridden so that something can be easy for them. Regardless of the problems.

Re:Seen it on the job: (5, Insightful)

Ben4jammin (1233084) | about 3 months ago | (#45908961)

It will be a revelation to senior management.

They will in fact need reports such as this to recognize the reality that all us IT workers have known for years. See, the fact that you don't understand that is why you are likely not in senior management :)

Re:Seen it on the job: (5, Insightful)

Penguinisto (415985) | about 3 months ago | (#45909167)

Sad, but true.

I remember a CEO of a moderate-sized corp (!?) who didn't see the need for locking down his Blackberry.... until he lost it one night while out on the town. Took me all of five minutes to crawl out of bed and wipe/lock the device remotely via BES, but the funny part was that it took that incident (and a gentle explanation of why I wiped his device - he originally wanted me to "locate" it for him) before he figured out that security was more than just a buzzword that got in his way.

Re:Seen it on the job: (2)

i kan reed (749298) | about 3 months ago | (#45909357)

Regarding you're sig: if it's a UDP opinion, doesn't that mean you don't want anyone to acknowledge it?

Re:Seen it on the job: (0)

Anonymous Coward | about 3 months ago | (#45910463)

Regarding you're sig: if it's a UDP opinion, doesn't that mean you don't want anyone to acknowledge it?

It means he doesn't care if you get it.

Re:Seen it on the job: (4, Insightful)

MickyTheIdiot (1032226) | about 3 months ago | (#45909349)

So the moral of the story is we should all get together and set up a Gartner-like "consulting" firm where we make C*O's pay million dollar consulting fees and (unlike Gartner) they get the common-sense information they can get from any security text book since the C*Os will only listen to advice that they pay a bazillion dollars for. They are mentally incapable of listening to the smart IT guy in their department that they pay $40k a year.

Re:Seen it on the job: (0)

Anonymous Coward | about 3 months ago | (#45910129)

They are mentally incapable of listening to the smart IT guy in their department that they pay $40k a year.

If the IT guy is working for $40k/year then he is probably not very smart.

Re:Seen it on the job: (2)

MickyTheIdiot (1032226) | about 3 months ago | (#45910251)

Where do you live? You do realize that people live in the states between the two coasts, right? You can have a very sharp IT guy making $40k here and be doing okay.

But, anyway, you missed the point by picking at example.

Re: Seen it on the job: (0)

Anonymous Coward | about 3 months ago | (#45910583)

Still not very smart. Move.

Re: Seen it on the job: (5, Insightful)

Bengie (1121981) | about 3 months ago | (#45910627)

The value of money is relative to the cost of living. Keep your $100k/year job with $300k house and 3 hours commute. I'll stick with my lower paying job in a smaller town with a $100k house that is much larger than yours and 5 minute commute.

Re:Seen it on the job: (2)

multisync (218450) | about 3 months ago | (#45910639)

It will be a revelation to senior management.

They will in fact need reports such as this to recognize the reality that all us IT workers have known for years.

Yeah, right. Senior management will never read a report titled "Senior managers are the worst information security offenders" on a site called net-security.org, any more than they would read a report at motherjones.com about the disparity between the wages of regular employees and executives.

Re:Seen it on the job: (4, Funny)

Grey Geezer (2699315) | about 3 months ago | (#45909191)

Yes, It's not just electronic communication either. A senior manager where my wife once worked wrote the code for the entry door keypad...on the keypad, because memorizing it (or writing it down on a piece of paper he would have to dig out of his pocket) was too much trouble. True story. (I'm sure you all have stories as bad or worse than this one.)

Re:Seen it on the job: (5, Insightful)

cusco (717999) | about 3 months ago | (#45909717)

I work in physical security. Executives are bad, but the absolute worst are doctors. There is a local hospital where the keypad code (1234) for the 'Doctors Entrance' hasn't changed in 23 years, because the doctors refuse to remember their own 4-digit code. Every attempt to change it has resulted in surgeons immediately marching into the executive offices and threatening to quit (really). Even an irate and armed ex-husband entering the hospital through that door didn't convince them. Getting them to use a key card is almost impossible unless they can have one card to leave in the Mercedes, another for the Porsche, and another in their desk that they can retrieve by tailgating into the building. /rant

Re:Seen it on the job: (4, Interesting)

Ben4jammin (1233084) | about 3 months ago | (#45909719)

I once had to remove all the copy codes on all the copiers in the building because apparently the CFO was incapable of memorizing a 5 digit number...I wish I were making this up.

Re:Seen it on the job: (1)

aaarrrgggh (9205) | about 3 months ago | (#45910495)

It isn't a question of if they can or cannot remember a 5-digit number, they simply can't be bothered to remember it. Security has to be easy/transparent in order to work; it is just that executives have a lower pain threshold. Same net effect as making everyone change unique, secure passwords every week. They WILL end up on a post-it.

Re:Seen it on the job: (0)

Anonymous Coward | about 3 months ago | (#45909213)

yep

just this week i had to make a change to our reporting system to allow people to email any report to anyone just because the manager didn't want the hassle of me giving him permissions to dozens of reports

and he did one of those screen sharing meetings with me and he had lots of work going to evernote

Re:Seen it on the job: (2, Insightful)

Anonymous Coward | about 3 months ago | (#45909443)

Good! Overly locked down IT systems are the cause of this issue. Every time an IT manager locks something down, someone has to find a work around to get their job done. The result, instead of going through a fairly controlled set of internal (but trusting of internal users) systems, the content just gets pushed to external systems as a work around, and a much bigger security issue appears.

Re:Seen it on the job: (0)

Anonymous Coward | about 3 months ago | (#45909703)

except later on i looked in our logs and found that on average changes to reports were done a few times per month. this was after an email migration when some reports stopped flowing and i had to make some changes.

anybody on a Helldesk can testify to this (3, Funny)

swschrad (312009) | about 3 months ago | (#45909221)

"I am the Senior Vice-Neutron for Intracorporation Multinational Reassignment! You must open port 23 at once so I can check my stocks!" who hasn't heard something like that?

Re:anybody on a Helldesk can testify to this (4, Informative)

cusco (717999) | about 3 months ago | (#45909919)

Having to unblock AOL so that the marketing exec could send/receive company documents to his personal email account was annoying. The subsequent flood of spam was the only thing that let my boss get away with blocking AOL again. The marketing exec was surprised at our reaction, he just thought that was the way email systems were supposed to be.

This was the same idiot who needed his laptop reinstalled three times in four months when he installed the latest version of AOL's client software the same day it was released.

Re:anybody on a Helldesk can testify to this (0)

Anonymous Coward | about 3 months ago | (#45910077)

We have a very similar problem with a guy that insists on surfing Indian search engines for porn.

This is what "AC" posts are really for...

Re:Seen it on the job: (0)

Anonymous Coward | about 3 months ago | (#45909303)

This is supposed to be some great revelation?

They're also the ones who can get security policy overridden so that something can be easy for them. Regardless of the problems.

And have their passwords on a sticky note attached to their monitor.

Re:Seen it on the job: (3, Insightful)

Sir or Madman (2818071) | about 3 months ago | (#45910541)

And have their passwords on a sticky note attached to their monitor.

Then stop making up change our passwords every 2 months. We all know that doesn't work anyway.

Re:Seen it on the job: (1)

asylumx (881307) | about 3 months ago | (#45909321)

They are also the employees who are more likely to be dealing with secure or private information, so it does stand to reason that they'd be more likely to accidentally share that information.

Re:Seen it on the job: (1)

AJH16 (940784) | about 3 months ago | (#45909403)

And they are also the ones more likely to be willing to admit it without fear of reprisal.

Re:Seen it on the job: (1)

Anonymous Coward | about 3 months ago | (#45909391)

There's a simple reason for it too.

IT managers who think that they own the network, and try to lock everything down. When an IT manager decides that there's going to be no VPN, and that access to resources from off site is simply banned, it's no surprise that senior management says "no, I'm above you, and I need to do this" and finds a way.

Re:Seen it on the job: (1)

alen (225700) | about 3 months ago | (#45909475)

in some cases this is a real solution

imagine an apple employee working via VPN and downloading new code to their home computer and then share it to the world accidentally. or any company working on a new product. or hipaa data

in these cases there should be a virtual desktop solution or some application front end to do work. my wife has access to some outside of VPN apps to do work with HIPAA data

Re:Seen it on the job: (4, Funny)

CthulhuDreamer (844223) | about 3 months ago | (#45909721)

The CEO of a company I used to work for claimed the VPN was inconvenient, so he would basically sync our entire file server to his laptop every day - marketing, finance, development projects, the works. His laptops were also constantly being misplaced or stolen, so who know how many copies of everything we had are floating around out there. Every business trip was a major security breach in the making.

Re:Seen it on the job: (3, Informative)

MickyTheIdiot (1032226) | about 3 months ago | (#45910037)

In Indiana an admin can be held legally responsible if their network isn't properly secure. I understand what you are saying here, but there are professional and sometimes legal reasons something is more secure than an exec wants.

And while I agree you have your paranoid admins, most admins are struggling just to do basic security that no admin would consider controversial. Like someone else already said... there are many, many papertrails out there so that an admin can show that they attempted to do basic security but they couldn't do it because some big fish in a little pond wanted to be sure he could telnet in from bolivia.

Re:Seen it on the job: (0)

Anonymous Coward | about 3 months ago | (#45910045)

Sounds like you're asking someone to not do their job. You want the legal liability, fine it's on your head. Have fun in prison for violating your government contract and leaking the private information of thousands of people. IT requires that you not be a selfish dick who only thinks of the next financial quarter, yet having foresight to prevent issues before they happen is imposing...and we wonder why the major problems of the world can't be solved.

Re:Seen it on the job: (1)

Grishnakh (216268) | about 3 months ago | (#45910331)

Um, this seems wrong. If senior management doesn't like the way the IT manager is running things, then why are they letting him keep his job? If they're above him (i.e., they're his bosses), then they need to either follow his rules, or they need to fire him and replace him someone who does things they way they like.

Re:Seen it on the job: (0)

Anonymous Coward | about 3 months ago | (#45909601)

Our higher-ed CIO is guilty of this. First he announces that laptops and PCs are "consumer devices" and shouldn't "need" encryption. He talks about how his work laptops aren't "centrally managed" and don't use encryption - it's just not needed. A few months ago, he decides to try his hand at data analytics, and makes a copy of our student database to one of his laptops, which he takes home with him. I'm thinking it's a matter of time before this laptop gets lost or stolen.

Re:Seen it on the job: (0)

TrollstonButterbeans (2914995) | about 3 months ago | (#45909753)

The IT department is there to support senior management. So it is ok if they don't follow security policy.

Seriously.

Security policy is so a $9/hour drone doesn't screw things up. If a big-wig with a hefty 6 figure check messes up, it isn't the same story.

Film at 11.

Re:Seen it on the job: (3, Funny)

LVSlushdat (854194) | about 3 months ago | (#45909921)

Have seen senior managers (CEO-level) saving their daily-to-do's emails in the TRASH!!

Back in the 90s, the company I worked for at the time, was a Novell+Groupwise shop, and we discovered that the company CEO was saving important email to the Groupwise trash. Found this out when we did a trash purge over a weekend and come Monday morning, CEO's executive assistant was on the phone to support saying that the "big-boss" lost a LOT of important email... I was the foot-soldier on call that day, so I had to run down to his office, and investigate. I had to fight hard to keep from laughing out loud when the assistant (big-wig was out of the office, but assistant had big-wigs password(s)) showed me just WHERE the emails had been stored, after a lot of prodding and question-asking.. Since I knew there had been a Groupwise trash purge over the weekend, I knew exactly where the mail had gone, but hoping against hope that the Novell salvage had not been cleared yet, I called the desk admin, and fortuantly he was JUST getting ready to clear salvage.. I managed to stop him, and we were able to recover the big-wigs email.. Being I was the new-guy, there was NOOOOO way I was gonna tell the CEO and his assistant "you DO NOT PUT EMAIL YOU WANT TO KEEP IN THE TRASH!!!" .. I left that up to my big-boss, the CIO... Needless to say we had many chuckles at the next months team meeting...

Re:Seen it on the job: (1)

MickyTheIdiot (1032226) | about 3 months ago | (#45910303)

Same thing has happened to me with saving mail in the trash, but luckily it wasn't a CEO and I could say don't do that. He still did it again later.

Given them a dashboard app instead of access (1)

perpenso (1613749) | about 3 months ago | (#45910325)

They're also the ones who can get security policy overridden so that something can be easy for them. Regardless of the problems.

That is why you develop "dashboard applications" for their computer or phone that gives them the overview that they want, it pre-empts them from asking for access to the actual data. The data can be accessed and summarized by the server side software that only send the summary info needed for graphics and labeling on the client app.

Shocking... (4, Insightful)

fuzzyfuzzyfungus (1223518) | about 3 months ago | (#45908831)

Who would have thought that immunity from consequences would lead to carelessness?

Re:Shocking... (0)

Anonymous Coward | about 3 months ago | (#45909001)

Who would have thought that Senior Managers are more prone to Senior Moments?

Maybe (3, Insightful)

Anonymous Coward | about 3 months ago | (#45908885)

58% of senior management reported having accidentally sent the wrong person sensitive information (PDF), compared to just 25% of workers overall."

Statistics like this are meaningless unless you know how often senior management is sending out information that requires filtering out sensitive information versus general workers. I would expect a CEO to send out more info than the mail clerk and hence a higher chance of sending out sensitive info.

Re:Maybe (0)

Anonymous Coward | about 3 months ago | (#45908929)

It's reasonable to expect more competence and more caution from someone who is paid millions.

Re:Maybe (3, Insightful)

SJHillman (1966756) | about 3 months ago | (#45909099)

"Senior management" doesn't always equate to "paid millions". I work at a medium sized company, around 1000 employees, but of the 20 or so individuals that would qualify as "senior management", only two of them are "one-percenters", and neither of them is even close to a half million in salary. Sure, they're paid more than the rest of us but for most companies, the difference isn't nearly as vast as you seem to imagine it to be.

Re:Maybe (0)

Anonymous Coward | about 3 months ago | (#45909165)

It's reasonable to expect more competence and more caution from someone who is paid more in general.

Re:Maybe (0)

Anonymous Coward | about 3 months ago | (#45909297)

It's reasonable to expect more competence and more caution from someone who is paid more in general.

You are funny

Re:Maybe (1)

queazocotal (915608) | about 3 months ago | (#45909313)

Quite.
But - if the senior managers are dealing with 100* the sensitive material that a normal employee does - then their rate is very considerably better indeed.
They only need to deal with four times as much sensitive information to do twice as well.

Re:Maybe (1)

bsolar (1176767) | about 3 months ago | (#45909541)

You assume that these manager are not being more competent/cautious but the provided statistics are not enough to infer that.

Some lower-raking workers might have to send out sensitive informations only sporadically or even not allowed to send out sensitive information at all while a manager might have to send out sensitive information on a daily basis. This means that the manager will make much more errors than the lower-raking worker even if they are equally competent/cautious and maybe even if he is actually more competent/cautious.

Re:Maybe (2)

Penguinisto (415985) | about 3 months ago | (#45909249)

Seriously? The average CEO salary is nowhere near "millions". You only find that kind of cheddar in the Fortune 500 companies, and even then you'd often have to count stock options into the total.

Hell, in the last two companies I worked in, the School Board Superintendent of Portland, OR made more ($250k) than either of them (~$150k and $175k, respectively).

Re:Maybe (1)

Grishnakh (216268) | about 3 months ago | (#45910395)

Here in New Jersey, all the school board superintendents make around $250k. What's really interesting is that just about every little town and municipality has its own, separate school board, so a typical "school district" probably only comprises 2 or 3 schools (elementary, middle, high school). Yet each one has its own superintendent and associated bureaucracy, with lots of administrators making huge salaries and getting generous retirement pensions. This is a big reason why the property taxes in this state are the highest in the nation.

Re:Maybe (1)

loufoque (1400831) | about 3 months ago | (#45909307)

For small-medium companies, the CEO is only paid 150k to 350k.

Re:Maybe (1)

MickyTheIdiot (1032226) | about 3 months ago | (#45909399)

which is STILL more than the guy doing all the work.

Re:Maybe (1)

bsolar (1176767) | about 3 months ago | (#45909629)

In small companies the CEO might even be "one of the guys doing all the work" and might even be one of the best at it.

Re:Maybe (2)

loufoque (1400831) | about 3 months ago | (#45909675)

A CEO typically does 80-hour weeks, and has a sufficiently good understanding of the product and the market that he managed to make a business with it.
Do you seriously think that it's a problem that he's paid marginally more than his employees that do 40-hour weeks and don't directly contribute to bringing money inside the company?

Re:Maybe (1)

jmcvetta (153563) | about 3 months ago | (#45910273)

I call BS on the claim that CEOs typically work significantly longer hours than their employees. I've never once observed this first-hand at any company I have worked with. Also some CEO activities such as going to fancy dinners with clients, while perhaps important to the company, are closer to leisure than to work.

Re:Maybe (1)

MickyTheIdiot (1032226) | about 3 months ago | (#45910333)

Actually, I don't have a problem with a CEO getting paid marginally more, but the numbers of employees "not bringing money inside the company" tend to be a lot smaller than the executive-worshiping culture likes to admit. Plus I don't believe any employee is 300 times more valuable than any other, but then I am a dirty hippie, eh?

Unexpected? (0)

Anonymous Coward | about 3 months ago | (#45908891)

I do not think it means what you think it means.

Sampling bias (3, Insightful)

SirGarlon (845873) | about 3 months ago | (#45909041)

Senior managers *should* exchange a lot of communication with a lot of people. That creates more opportunities for a mistake. A rational policy would be for the people who most commonly transfer important information to have the best security tools and training.

But nah, let's not educate the executives on how to safely handle critical data, because they should know without being told and it feels so good to laugh at them when they make a mistake.

Re:Sampling bias (2)

Attila Dimedici (1036002) | about 3 months ago | (#45909105)

Who exactly is going to educate these executives? The people being talked about in this article generally outrank in the corporate hierarchy the people who teach everybody else to maintain information security, on pain of being fired.

Re:Sampling bias (1)

SJHillman (1966756) | about 3 months ago | (#45909117)

Have you ever tried to educate a senior exec? Sure, there's a few good ones out there, but for the most part you may well try teaching a dead dog to fetch your slippers.

Re:Sampling bias (4, Insightful)

Trepidity (597) | about 3 months ago | (#45909173)

Trying to get them to follow any kind of IT policy is nearly futile as well. Many recognize the need for an IT policy in the abstract, and will be happy to sign off on something that the average worker has to follow, but they see themselves as a special case that needs more freedom to operate as they see fit.

Re:Sampling bias (0)

Anonymous Coward | about 3 months ago | (#45909337)

In fairness to everyone, the average IT policy is a collection of "best practices" that have no foundation in reality and are chosen by the IT staff because it's the easiest pseudo-security to implement. This is usually done with no input from the rest of the organization except the vaguely worded policy approved by someone who only skimmed it.

If you want a security policy to work, you have to start by discussing the costs vs. dangers of business as usual and each change you want to make. You need to have that discussion with those who will be effected, and you have to be ready to suggest at least three levels of paranoid defense for each problem, all with preliminary price estimates (and example costs of insecurity).

Re:Sampling bias (0)

Anonymous Coward | about 3 months ago | (#45909723)

If you want a security policy to work, you have to start by discussing the costs vs. dangers of business as usual and each change you want to make. You need to have that discussion with those who will be effected, and you have to be ready to suggest at least three levels of paranoid defense for each problem, all with preliminary price estimates (and example costs of insecurity).

And the first time the CEO tries to watch porn after implementing your newly specced out security policy, do you think he's going to give a damn?

Re: Sampling bias (0)

Anonymous Coward | about 3 months ago | (#45910155)

Watching porn at work should be handled by some sort of employee conduct policy. If you are handling it with your IT security policy, your IT security policy is broken.

Re:Sampling bias (1)

Spazmania (174582) | about 3 months ago | (#45909643)

Some have simply given up on trying to force the general-case IT policy to be useful. They "solve" the usability problem for their specific case by ignoring IT and using outside tools over which IT has no control.

"IT goon: Business comes first. We're here to support your business!"

"Me Great! We build software systems based on open source, so our developers need access to github."

"IT goon: Sorry, that's a file sharing site. Using it is against policy."

'Me: You said business first. Our business uses open source software from github."

"IT goon: That's right! Business first! Just no file sharing sites."

Re:Sampling bias (1)

SirGarlon (845873) | about 3 months ago | (#45909417)

I don't report to senior executives, so no. But if I did, and they wouldn't listen to my ideas for how to minimize corporate espionage and massive data breaches, I would start looking for a new job where my professional skills were valued.

Re:Sampling bias (1)

Penguinisto (415985) | about 3 months ago | (#45909289)

But nah, let's not educate the executives on how to safely handle critical data, because they should know without being told and it feels so good to laugh at them when they make a mistake.

Yeah, I know - sarcasm... but educating a CxO isn't as hard as you think - the only real trick is to carve enough time out of them to do it.

Re:Sampling bias (1)

MickyTheIdiot (1032226) | about 3 months ago | (#45909461)

I guess I have Sampling Bias too, but ever time I have tried to do this I have been accused of trying to hold the organization back. I have had a lot of bad mangers in my career I admit, and most of them equate their own convenience with "doing what is right for the organization."

Re:Sampling bias (2)

msobkow (48369) | about 3 months ago | (#45909523)

"Let's not educate the executives?"

Clearly you have never tried to "educate" an executive. Their inevitable response is "I need to do this", and to make you responsible for preventing the damage they risk and cause. It's the email administrator's fault that the email system let them send that financial report to the wrong people, dontcha know.

Re:Sampling bias (1)

Anonymous Coward | about 3 months ago | (#45910607)

Senior managers *should* exchange a lot of communication with a lot of people. That creates more opportunities for a mistake. A rational policy would be for the people who most commonly transfer important information to have the best security tools and training.

But nah, let's not educate the executives on how to safely handle critical data, because they should know without being told and it feels so good to laugh at them when they make a mistake.

I wish they would listen. I've tried discussing security with senior management and have literally been told, "I don't understand the need for all this nerdy stuff." He continued ignoring policies.

Why is this surprising? (1)

megla (859600) | about 3 months ago | (#45909175)

Senior management frequently consider themselves exempt from just about all company policies which apply to the lower ranks, it shouldn't be too surprising to find that IT security policy is among the ones they feel are below them.

Re:Why is this surprising? (0)

Anonymous Coward | about 3 months ago | (#45910189)

Maybe that's because a) they *make* the policy and b) they *are* above it?

I'm guilty of this and I'm not even senior. (1)

ip_freely_2000 (577249) | about 3 months ago | (#45909187)

Work is expected to get done over a weekend so I take it home.

Re:I'm guilty of this and I'm not even senior. (1)

sandytaru (1158959) | about 3 months ago | (#45909393)

So work hasn't assigned you a work laptop, or at the very least, given you a VPN so you can get into a secured network to get your files? Not even OWA or the other open source equivalents on the work network to email yourself at the work address instead of sending it to an unsecured third party email?

All to true (0)

Anonymous Coward | about 3 months ago | (#45909265)

I have to deal with this from several Exec VP's. They just do not understand and refuse to listen. Thankfully I have a nice long paper trail protecting my ass.

"Accidentally" (1)

gmuslera (3436) | about 3 months ago | (#45909299)

Like sending AWS/rackspace management passwords in plain text by email. If you choose to drive drunk because you know better and kill someone is not an accident anymore.

Friggin crazy (1, Interesting)

Spiked_Three (626260) | about 3 months ago | (#45909319)

This is total BS. The Slashdot summary of the article anyhow.

As a senior, but with practical security experience, plenty of it, I can tell you what is happening is the younger crowd are FAR more likely to lie about having sent business information. The older one gets, the less they care about lying to cover their ass.

Secondly I will say that in every job I worked, I knew a lot more about security than the company did. An exception might be the companies that specifically hired me, to breach security at their companies, as proof their college educated certified IT people were clueless. Someone on the board of those companies knew the difference between book smart and actually smart.

Great example; the white house;
me: why does CICS have all these storage violations everyday?
OPM: oh they are nothing, just program bugs
me: no, they are storage violations. You can't tell the difference between a program bug and someone intentionally going after info.
OPM: your fired.
Guess what news story was next to be covered up and swept under the rug?

Bosses, senior or not, who do not want to hear bad news is what leads to things like the Healthcare rollout fiasco. And they are the #1 security problem in I.T. as well.

So, your company has no AUP? (1)

sl4shd0rk (755837) | about 3 months ago | (#45909407)

You job as a security wank is to get the policies straight and give them to management to disseminate and get signatures on. Presumably, management has signed off on these just like everyone else. After that, it's mostly an HR problem.

Bad analysis (total amount vs. frequency) (0)

Anonymous Coward | about 3 months ago | (#45909469)

While there probably is some truth behind this, the given statistics are near worthless.

Judging by the absolute number of mistakes (ie "have you even made mistake X?") naturally makes those who have been working longest most probable of being guilty. By this standard interns in their 1st day of work ever are the ultimate example of data security. They have not had a chance to goof up!

Epic facepalm moments (4, Interesting)

Solandri (704621) | about 3 months ago | (#45909519)

A former boss of mine had a bad habit of hitting Reply instead of Compose when writing new emails. I noticed I'd get emails from her which were totally unrelated to the mail she'd hit Reply on. I warned her several times that that could be dangerous since hitting reply automatically includes the previous email(s) as a quote.

Then one day it happened. She decided to send out a mass email to all staff, and composed it by hitting Reply on one of my emails. I got into work, checked my email, and did the biggest head-desk of my life. She had replied to one of my emails where we'd been discussing employee bonuses and pay raises, including extensive deliberation over what we were going to tell certain employees in their annual performance review. That lengthy discussion was quoted and got sent to the entire staff. Fortunately the damage wasn't as severe as it could have been - the four employees we'd discussed in the email thread were all good employees so most of our comments had been positive.

On the up side, it broke her habit. She never composed a new email by hitting Reply again.

Re:Epic facepalm moments (1)

operagost (62405) | about 3 months ago | (#45910585)

Let me guess: Lotus Notes? I can't think of any other program that wouldn't make it obvious that the previous email was being quoted.

Upper management gets special treatment (1)

GodBlessTexas (737029) | about 3 months ago | (#45909859)

At my last job, upper management had different password strength requirements because they couldn't handle the normal ones designed to make them use secure passwords. Instead of 8 characters minimum with at least one capital letter, number and special character, they simply got away with 8 characters. Why? Because they complained enough, couldn't remember their passwords, and had the power to exempt themselves.

Re:Upper management gets special treatment (1)

operagost (62405) | about 3 months ago | (#45910671)

It's kind of like admitting you're less intelligent than the employees. Not what I'd care to do.

of course, they're useless (0, Offtopic)

thetoadwarrior (1268702) | about 3 months ago | (#45909991)

Nearly every single problem with a company can be attributed to the managers, especially senior managers. They're useless leeches.

Hardly a revelation... (1)

Anonymous Coward | about 3 months ago | (#45910151)

Things I've seen managers request in some of my former places of employment:

1) All passwords on the network were to be "standard". There were some minor differences in the passwords depending on the user, but for the most part, they were all XXX1234. With XXX being the initials of the user and the digits being the hire date or some such. No big deal normally, except that every employee had to display an ID card that had their name and hire date.

2) "Free software" would not be allowed. Consequently, an out-of-date and broken public key encryption tool was mandated instead of GPG.

3) HR Manager demanded that a share be opened up to a particular group because his team needed to share files. Rather than creating a smaller group and allowing that small group, he demanded that the existing group be used. Consequently, the employee salary information was visible to almost everyone with a login. This one was particularly annoying because he insisted that the job of IT was not to dictate policy, but to implement policy. I.e., IT would need to transparently keep the logins secure even with open access. This was a big deal at the time because of a notion that good computer interfaces meant that the computer changed to accommodate the user and not vice versa.

4) Manager surfed porn from operations PC. This was fun. I was in support at the time. Loss Prevention called and asked for me. I was worried. While the guilty manager was there, they had me pull up the browser history and system logs. The image cache was particularly interesting. I tried to be as diplomatic as possible.. "OK.. The log shows that someone with ID xxxxxx logged into the computer at 1:30AM. At 1:35AM, Internet Explorer was opened with that account. The logs show that this ID then visited the following sites..." Etc.. etc.. Can you see what was on those pages? "I can tell you the URLs but I don't recommend visiting the site." What sort of sites? Then the list of porn sites followed.. Weird, bizarre stuff.

I'm posting this as Anonymous because I still work at one of these places...

Limited Options (1)

Anonymous Coward | about 3 months ago | (#45910157)

At my workplace our IT team has a policy about using cloud services like Dropbox for security reasons. Will our IT team consider rolling cloud storage on our own servers? Nope. Their solution is to use a flash drive. While many just outright violate the policy to get work done, I have done as they suggested and use a flash drive. To date I have lost (and quickly recovered) it 3 times.

Well, Yes... that is correct... (0)

Anonymous Coward | about 3 months ago | (#45910367)

...it has also been well known for the past 25 years.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...