Following IT Security Protocol: Why Leading by Example Matters
IT security recommendations exist to protect companies from fraud. Sure, firewalls may make it more difficult to connect to some online services, and two-step identification may seem like it uses up precious seconds, but these measures exist to prevent intrusion. Unfortunately, many top-level executives seem to forget the importance of these policies and security measures. They may feel that since they can be held accountable to themselves, they are not beholden to the same standards as their subordinates.
Experience shows that the opposite could not be more true. Executives that skirt around the rules create a company culture where IT security is not valued. Worse, they establish a corporate culture which prioritizes convenience over risk aversion. Proven strategies can then get thrown out the window, and like someone who forgets to wear their seatbelt, regret often sets in after it is much too late.
Executives Can Inspire IT Security Practice Buy-In From the Top Down
When the C-suite holds themselves to a double standard for IT security practices, they fail to recognize two critical points:
- Security practices that are embraced by senior management are embraced by everyone
- Any lapse in security can create a potential infiltration point
The second point is particularly concerning considering that the top-level brass usually has access to their organization’s most sensitive information. Worse, their actions are seen as representative of their company as a whole. So, if a department supervisor has his email account hacked and the press publishes damaging leaked documents, the entire brand does not necessarily suffer. However, when the company president’s name appears on those emails, shareholders may begin to wring their hands.
Going beyond the sheer liability of a security double standard, the C-suite has the opportunity to inspire secure computing practices and sound policies more so than anyone else. Employees showing inconsistent opt-in can be inspired by the actions of superiors who emphasize the gravity of following stated policies. Even more importantly, everyone in the organization can be held accountable all the way down when upper management fulfills their duties to educate every employee and demonstrate sound security practices.
What Does Acting Like a Security Leader Look Like?
Executives may understandably see the lines blurred between safe and unsafe actions. Practices that they would have found shockingly irresponsible on day one of a new security initiative may seem perfectly acceptable mere weeks later.
To remain vigilant and understand the duty of setting a positive example, an executive should never engage in the following behaviors:
- Disabling firewalls or monitoring services to hasten connection speeds
- Using weak passwords or disabling multi-step authentication services
- Saving sensitive information in unprotected areas of the cloud or hard disk space, such as having a Google Doc containing all of their passwords
- Accessing sites or online services other employees are barred from out of security concerns
- Transferring sensitive data into insecure environments, such as onto an unencrypted flash drive
- Forgetting to sign out of systems or workstations
- Not reporting suspicious or unusual network activities
- Reducing the frequency of scans on their workstation or turning off scheduled scans altogether
- Sharing access information to non-essential people
- Granting access to networks or files without the proper restrictions
- Accessing sensitive data, including emails and company networks, from insecure devices
We could fill a book with bullet points like these, but the overarching point is that many people who set policies or enforce them end up taking actions that would easily get lesser employees fired. So always ensure that you are toeing the line when it comes to security policies if for no other reason than to ensure that your lower-level staff does the same.
You can also audit your current security practices and measures to find out if you are creating unnecessary risks. Visit our IT security consulting services page to learn more about how our security audits and managed services can help instill a secure corporate culture from the very top to the absolute bottom with no gaps in between.