A survey of 300 IT Security professionals has revealed that board of directors are most likely to ignore or flout security policies and procedures, with 42% cited as frequently ignoring them. That’s according to a survey released today by Cryptzone, Europe’s IT Threat Mitigation specialists, who found that rather than setting an example, over half of respondents were convinced that senior management believe that "the rules don't apply to them" when it comes to respecting IT security policies and procedures.


Alarmingly, 52% of those surveyed agreed with the statement that the Board of Directors have access to the most sensitive information yet have the least understanding of security. A worrying statistic when data loss has become a daily news headline and the regulators is hitting hard on organisations with lax attitudes towards data security.


Senior Vice President of the NETconsent business unit at Cryptzone, Dominic Saunders, said, "There’s a saying ‘do as I say, not as I do’ and this study would appear to demonstrate that it resonates in the executive corridor of far too many organisations today. However, there’s also a phrase ‘united we stand, divided we fall’ and that’s what each person who doesn’t tow the security line is potentially exposing their company to. Education is so important so that every single person not only knows what they should be doing, but also why they’re doing it. On top of that organisations need to get savvy and introduce solutions that don’t allow anyone, regardless of how far up the corporate tree they sit, to flout policies and procedures."


The survey was conducted amongst 300 IT professionals visiting last month’s Infosecurity Europe, so surprisingly , when asked who in the organisation is least likely to follow policy and procedures, 20% answered senior managers, 17% CEO’s and an additional 20% pointed the finger right back at themselves citing the IT team!


"This is a tough problem. Seeing wanton disregard at a senior level for the policies and procedures put in place to protect an organisation is infuriating, and a real challenge for the CISO who must balance the needs of a business with the requirement to protect assets." said Nigel Stanley, Practice Leader for Security at Bloor Research. He added, "I consider the starting point for all security measures to be a governance statement signed by the board, at least with this you have some comeback if senior managers and directors aren’t playing ball."


Turning attentions to security training, 65% of companies offer the same level and amount of IT security training to everyone in the organisation. Dominic concludes, "The reality of this practice is money is being wasted training people who might not need it, while not providing enough to the most at risk groups. Instead training should be tailored to reflect the level and depth of information people are privilege to, balanced against the risks they’re exposed to."