The Eyes of IT are Upon You! Curiosity Often Trumps Do The Right Thing According to New Study
At a company I did work for there was a middle manager in the IT area who liked to be the person "in the know." At meetings he always would talk about ideas or plans that otherwise he should not have been privvy to.
He had administrative rights to the personal storage directories, and also to the print queue. He finally got caught with several inches of printouts of other people's emails and other documents that had been sent to be printed, along with other files in the personal storage directories. He admitted that he started out peeking out of curiosity, but then realized he was being left out of some key discussions and decisions, so he thought he'd help his career by keeping up on what other people were doing by looking at their stuff.
After all, he had administrative rights to those locations, right? Even though the policy stated that personnel must not try to access other people's data unless they had a business need or had explicitly been granted access. In this guy's mind he justified snooping by that fact that he had explicitly been given admin access.
A survey was recently done by Cyber-Ark that shows 1/3 of IT professionals ADMIT to
"snooping through company systems and peeking at confidential information such as private files, wage data, personal emails, and HR background, just by using the special administrative passwords that give IT workers privileged and anonymous access to virtually any system. One IT Administrator laughed out loud as he answered the survey, saying: "Why does it surprise you that so many of us snoop around your files, wouldn't you if you had secret access to anything you can get your hands on!"As if that weren't bad enough, the survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job, with no one to stop them."
I'm not surprised, but it is disappointing, isn't it? And I bet that more actually do this snooping than admitted to it.
I'm also not surprised that so many still had lingering access to systems following departure from an employer or their position within the company. The exit procedures are almost non-existent with regard to systems and applications access at most companies. There are often so many different ways in which IT folks have remote access into systems that often at least one of the paths usually does not get shut off.
The survey also revealed:
* 20% admitted that they rarely changed their administrative passwords & 7% said they NEVER changed them.
* 8% of IT professionals said they never changed the manufacturers default admin password on critical systems.
* 57% store their administrative passwords manually on post-it notes; 18% store them in a spreadsheet
* 15% of the companies had experienced insider sabotage
Yes, the insider threat is very real indeed.
Folks who have trusted access must have additional controls established, and they must have targetted training and ongoing awareness.
Admin ID activity should be logged and audited.
Most folks are generally curious by nature, and most will do things because of that curiosity if they think they will not get caught.
IT personnel with trusted access must be well aware of the code of ethics within your organization, and they must be reminded on an ongoing basis that just because they CAN peek at sensitive information doesn't mean they SHOULD...in fact, they must know that this is against the code of ethics, against information security policy, and if they are caught doing it they will have strong sanctions applied.
The IT manager at the beginning of my post was put into a different position, at the same salary, upon discovery of his snooping activities; one he absolutely hated. It had no admin capabilities, and very little access to any IT resources, as well as almost no access with other personnel. He soon resigned.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
What sucks most about this topic is those of us who highly value integrity. Even if I accidentally snoop or see things when in the course of my normal job, I automatically just don't recall it or pay attention. If I do, I definitely keep secrets. Yeah, I can be a stick in the mud sometimes...but I consider that good when it comes to organizational secrets that I might have access to as IT.
But it sucks trying to get anyone to trust you or believe you, especially in light of past experiences that company has had or surveys like this (let alone the dramatic media reports of rogue IT persons planting logic bombs and the like). It makes some of our natural honest efforts pretty worthless.
Posted by: LonerVamp | May 31, 2007 12:31 PM
Thanks for your comments, LonerVamp!
This topic of entrusted access was on my mind all day...gave me some thoughts...hmm...
Posted by: Rebecca | June 1, 2007 10:47 AM
I think there's a tendency to assume that the employees a company has chosen to hire are honest and value integrity, though that doesn't always hold true. It's hard to think of your own colleagues as sneaky and untrustworthy, but the scenario you just described is all to common.
A survey conducted by NPR public radio shows similar results: 13.4% of 2251 respondents admitted that they would read a coworker's email, while 38 skipped the question.
The reality is that security policies and procedures should focus on both, outside AND insider threats.
Posted by: Mila | June 1, 2007 3:14 PM
Thanks for the NPR survey, Mila.
Yes assumed trust is a dangerous business practice.
I'm very intrigued by this topic; not just regarding IT admins specifically, but trusted employees in any position snooping with the access they and been granted.
Someday I'd love to do a scientifically based study about this; looking at such things as company size, industry, geographic area, job positions, and so on. I think the results could help to establish better screening practices for potential employees as well as demonstrate the need for ongoing logging of activities for personnel in key positions.
Also, just knowing their activities are being logged would stop a lot of the curiosity-based snoopers from snooping.
Posted by: Rebecca | June 4, 2007 7:22 PM