Data Breach Worst Offenders? Executives

Studies reveal senior managers account for greatest information security risks

By Leonard Webb Feb 6, 2014

Experts say HR should be particularly mindful about security breaches because, as two new studies reveal, senior managers and executives remain the worst information security offenders.

According to a recent report from global investigations, intelligence and risk services company Stroz Friedberg, 87 percent of senior managers regularly upload work files to a personal e-mail or cloud account, and 58 percent of them have accidentally sent sensitive information to the wrong person, compared to 25 percent of workers overall. What’s more, 51 percent of senior managers have taken job-related e-mails, files and other material with them after leaving an employer—twice as many as those in lower-ranking positions.

In addition,’s 2013 Information Security Breaches Survey found that while 81 percent of respondents said that their senior management place a high or very high priority on security, many businesses leaders have been unable to establish effective security defenses.

So how can HR professionals convey the importance of IT security to their most senior-level employees without ruffling feathers?

Flattery Works

“Flattery is a proven method of getting what you want out of executives,” said Jeremy Ames, president of Gaucho Group, an HR technology consultancy based in Massachusetts, and a member of the Society for Human Resource Management’s (SHRM) Technology and HR Management Special Expertise Panel.

“The message that the HR team can deliver to executives is to remind them that they are going to be the primary targets of attacks, and, as such, they need to be even more diligent than everyone else,” said Ames.

The trick then is to include senior management in the development of the solution. “One unique approach to tackling this challenge and, at the same time, accomplishing engagement of executives, is to get them to define what the company’s intellectual property actually is,” he said.

For example, he said, companies should remember that securing their intellectual property doesn’t begin with the end product, but with the unique ideas, concepts and blueprints derived by their workforce along the way. Ames compared it to “a chef at a restaurant talking about a potential new recipe a month before it ends up on the menu.”

There are signs that business leaders are cognizant of the need to beef up information security measures. The Stroz Friedberg report revealed that 45 percent of senior management respondents said that they themselves are responsible for protecting companies against cyberattacks, yet 52 percent give corporate America’s response to cyber threats a grade of “C” or lower, an “encouraging statistic,” said Executive Chairman Ed Stroz.

“I’m more worried about people thinking that they’re stronger and better protected than they are, because that could mean that they underestimate the damage that can be done,” he cautioned. “If you walk around thinking you’re an ‘A’ or a ‘B,’ yet you’re really not, I think you’re more likely to get blind-sided than if you’re saying, ‘we’re probably a “C,” “D” or “F” and, as a result, bad things can happen.’ I’d rather have people in that mind frame, if it were accurate, than having people being delusional, thinking that they’re better prepared than they are.”

Challenges Abound

Smartphones have blurred the lines between personal and professional time. They’ve also hindered security. Damon Lovett, a senior human capital management consultant with Knowledge Source, notes, “Staff at all levels are going to use their devices for work as well as personal consumption of information. Corporate demand for deeper insight into the business (i.e., more people and data), cheaper storage and intuitive user experience makes next-generation cloud solutions and mobile applications a must.”

Unfortunately, security isn’t as much of a concern—until something bad happens.

According to, 12 percent of the worst security breaches were caused partially by senior management giving insufficient priority to security.

To combat this, “HR must create a strong partnership with the chief information officer to implement and enforce policies and strong infrastructure/framework to safeguard business information and control chaos,” said Lovett, a board member of the International Association for Human Resources Information Management (IHRIM).

Once the policies are in place, then the CEO and other senior leaders take the lead.

“Get them talking about the importance of information security,” Lovett said. “Make it personal to staff and explain how the safeguards put in place at the company could be used to keep personal information secure as well.”

Ames suggests HR ask executives to consider the following:

“What kinds of information can be shared via e-mail and on what devices? Is a personal Google Drive account an acceptable location to store company documents?” he said. That discussion could lead to “some practical guidelines for protecting intellectual property and things that can be communicated to the rest of the company. The information will allow the people that should be most incented to protect the intellectual property—the executives—to lead by example.”

Stroz referenced the use of hand sanitizer in the workplace being the direct result of cultural reinforcement over the past decade as an example of the importance of good hygiene in progressive health maintenance.

“You have to do the same thing with information security,” he advises, noting that periodic training that’s both logical and emotional will “move a company from a compliance mentality to embracing security as extraordinarily important to the firm.”

Leonard Webb is a freelance writer in Wyncote, Pa.


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect