Via Information Security Buzz (link opens in new tab):
New research, conducted by IronKey by Imation and Vanson Bourne, surveyed 500 IT decision makers in the UK and Germany to uncover the risks of remote working and inquire into the security measures organisations have in place. The findings raised concerns over senior management, with 44 percent of organisations believing that a member of their senior management has lost a device in the last year, whilst 39 percent say senior management had a device stolen. Even more concerning is that the vast majority (93 percent) of these devices contained work related data, including confidential emails (49 percent), confidential files or documents (38 percent), customer data (24 percent) and financial data (15 percent).
This critical bit of information is one that is often overlooked when implementing a set of security policies and practices. There’s a tendency in many organizations to exclude senior management and executives from the most stringent of security practices, perhaps out of a belief that such people have a better sense of what is important to the business than employees further down the org chart or perhaps out of a belief that the behavioural changes required by good security practices would inconvenience the executive group too greatly.
Avoiding information loss or security breaches requires active participation from all levels of an organization, regardless of their technical savvy and of their pay grade. Implementing useful tools and good practices can be a straightforward process if this is kept in mind during all phases of the implementation; ensuring executive engagement is critical, but is often overlooked with the exception of obtaining sign-off for the purchase of a new toolkit.
My recommendation is to ensure that built into any tool or practice implementation is a set of executive training sessions that emphasize the importance of their actions and the most efficient ways to use their tools (both new and old). As good as any tool is, the weakest link is the least-engaged user – letting that user be the one with the most critical data on their portable devices is a mistake that can be easily identified and avoided if the appropriate steps are taken.