Company directors are setting a poor example when it comes to securing sensitive information, according to a research report by software firm Egress. Despite their position of responsibility, business leaders are leaking data more often than their employees are, it found.
The Insider Data Breach Survey 2020 also revealed that the more senior the individual, the less likely they are to accept responsibility for information security.
The research found that 78 per cent of directors had intentionally flouted company policy by sharing data, while 68 per cent admitted that they had taken sensitive information to a new job. They were far more likely to fall prey to phishing too, with 61 per cent admitting that they had breached security this way.
“Frighteningly, some of the worst offenders are the more senior people,” said Tim Pickard, chief marketing officer at Egress. “We know that criminals are aware of this too, because they target senior people in organisations. First, because they have access to sensitive information and, second, because their behaviour is not as rigorous as that of some people lower down their organisations.”
The research surveyed more than 5,000 people working in companies with 100 employees or more in the UK, the US and Benelux. Directors comprised about 10 per cent of the sample.
Pickard speculated that the trend is a result of a belief among many directors that they are “above some of the protocols and data security training. They can sometimes think that their job is more important than the security of the business.”
Business leaders who fail to protect data are also giving the wrong message to their employees, according to Pickard, who added: “The ‘do as I say, not as I do’ attitude that some have taken is not healthy for their organisations.”
Financial penalties could spur boards into action
Companies found to be in serious breach of the general data protection regulation (GDPR) have been at risk of a maximum fine of €20 million (£18 million), or four per cent of global annual turnover if that is greater, since the GDPR’s implementation in May 2018.
The Information Commissioner’s Office (ICO) claimed its first big scalp in July 2019, when it proposed that British Airways should be fined just over £183 million after the airline allowed details about 380,000 customers, including personal and financial information, to be leaked. Marriott is facing a £99 million fine after the hotel chain lost more than 300 million booking records.
Karen Brooks, senior consultant at Opinion Matters, which conducted the research for Egress, suggested that the imposition of further big fines could spur boards into action.
“Senior people have greater pressures to get things done, so they might create workarounds to do their jobs from home or while travelling. But this could sacrifice data security,” she warned, urging directors to follow the same policies as everyone else.
For Director’s looking to improve their data protection knowledge, IoD Manchester is hosting an event on The Importance of Cyber Security on 18 June.