Why CIOs May Be The Company’s Biggest Security Risk

Your actions may be inviting danger into the company
Your actions may be inviting danger into the company

The world is a very dangerous place. Your IT department has lots and lots of data on its computers that bad people would like to get their hands on. Thank goodness your company has taken care to secure every way that there is for outsiders to get into your company’s network. Oh, wait a minute. Maybe there’s one way that hasn’t been secured – you!

What We Are Doing Wrong

Over the last 30 years or so, corporations have spent untold billions of dollars to create secure corporate networks. The definition of information technology tells us that we need to use firewalls to keep the bad guys out and strict corporate policies to restrict just exactly what can be connected to the corporate network.

That’s all fine and good until you, the CIO, comes along. For a couple of very important reasons you may be your company’s single greatest security threat. The first of these reasons is simply because you know too much. In your head is a lot of information that both hackers and your company’s IT sector competition would love to get their hands on.

This means that every action that you take online runs the risk of exposing confidential company information to the outside world. This could be as simple as when you update your LinkedIn profile with what you are currently working on to when you use your personal Gmail account while you are at work.

The second way that you may be your company’s biggest security threat is by your love of all that is new and shiny. CIOs are notorious for being the first kids on the block to go out and buy the latest tech gadget no matter if it’s the latest iPhone or iPad. Once you have this fantastic new device and you start to use it all the time, you’ll of course bring it into work. When you do this, you run all sorts of risks.

Hanging A Sign Out

If you were a bad guy and you wanted to break into your company’s corporate network, how would you go about doing it? Considering that companies have had enough time to secure their corporate networks from people breaking in from the outside, you’d probably do the next best thing: try to break in from the inside.

You’d go about doing this by finding out who worked for the company. Then you’d engage in a little of what’s called “spear phishing”. This is when you send someone who works for the company an email that looks like it is coming from somebody else inside the company asking for usernames, passwords, nuclear launch codes, etc.

We’ve all been trained to not respond to spam emails that we get all the time. However, these spear phishing ones are a lot harder to detect because they look like they are legit. We can become a phishing target by sharing a lot of personal information on the web. LinkedIn is a prime hunting ground for those would like to do us harm – there is a lot of key information shared out there.

Doing It Ourselves

Another way that we can cause great harm to the company is when we bring our newest and shiniest electronic gadget with us to work. As the Iranians found out with their centrifuge machines, a computer from home can contain all sorts of nasty viruses and bad things.

The company has polices about what can be connected to the corporate network and what public web sites we are allowed to use while at work. As CIO you may believe that these rules don’t apply to you; however, that’s where you’d be wrong. Yes, the rules might be an inconvenience sometimes, but they were created for a reason.

Couple all of the standard threats and then add in today’s popular social media sites and you have a real problem on your hands. The fact that hackers can reach out to you via numerous social media sites means that they are just that much closer to getting into your corporate network.

What We Need To Be Doing

So clearly it’s a big scary world out there and we are not immune from taking steps to be part of the solution, not the problem. What should we be doing?

First off, just make it a personal rule that you’ll never email any confidential information such as user names or passwords to anyone no matter if you think that they work for the company or not. If somebody needs that information, have them come to your office and pick it up.

Next, make it a policy to never open any attachments that have been added to an email that you’ve received. This is how the bad guys get you to run code that opens up doors into your corporate network for them. Make it a habit to not open any attachments until you get into a meeting or a call where the person who you think sent it to you can confirm that they really did.

What All Of This Means For You

So now that we understand that the single greatest threat to the safety of our company’s digital assets may be us, what does all of this mean? It’s actually pretty straightforward. We need to become more responsible in how we behave because of importance of information technology to our company.

We need to always be aware of the fact that there are people out there who are always looking for a way to break into our company’s computers. Due to our special position in the company, if we’re not careful then our actions may open a door for them to gain access to the company’s network.

I like the newest flashy device just as much as you do. However, when it comes to keeping the company’s network safe, it appears as though we need to separate our personal life (and devices) from those that we use at work. Don’t worry – eventually all good things will find their way into our office the right way!

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Can you think of a situation in which it would be appropriate for you to use your personal email as a part of your job?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

One of the most important jobs that a CIO has to do is to manage the people that work for him or her. I’d like to be able to tell you that all of those people are going to be start performers. However, that’s not the case. Where a CIO can run into real problems is when some of the team are bad apples – lazy, angry, or just downright incompetent. What’s a CIO to do?