Founding Member of FormIGA – the global Industry for Good Alliance

One third of senior IT staff snoop into confidential data

25 Jun 2008 12:00 AM | Anonymous
As government data security falls once again under the spotlight, a survey has revealed that one third of IT managers across all types of organisation secretly look at confidential corporate and personal data. Snooped details include salary details, M & A plans, personal emails, board meeting minutes and other personal information.

Those are the findings of a survey of more than 300 senior IT professionals, mainly from companies employing over 1000+ people, by digital vaulting specialist Cyber-Ark Software. One third of respondents admitted to using their privileged or Administrator rights to access information that was confidential or sensitive, while nearly half (47%) said they had accessed information that was not directly relevant to their role.

This follows reports earlier this month on sourcingfocus.com that internal data loss and theft had affected over one-third of organisations.

Mark Fullbrook, UK Director of Cyber-Ark says “When it comes down to it, IT has essentially enabled snooping to happen. It’s easy – all you need is access to the right passwords or privileged accounts and you’re privy to everything that’s going on within your company. Gone are the days when you had to photocopy sheets of information with your customer database on it, or pick the lock to the salaries drawer."

Fullbrook's comments are well timed, coming hard on the heels of the Public Accounts Committee's investigations into public sector data security and the Information Commissioner's comments about the MoD and HMRC: "In some organisations," said Fulbrook, "there is little understanding or lack of controls in place to manage workers access to systems.

"For most people, administrative passwords are a seemingly innocuous tool used by the IT department to update or amend systems. To those 'in the know' they are the keys to the kingdom and if unprotected or fall into the wrong hands wield a great deal of power. This could include highly sensitive information such as merger plans, the CEO’s emails, company accounts, marketing plans, legal records, R & D plans, and so on.”

Of greater concern is the still extant fact that privileged passwords are changed infrequently – indeed, less often than user passwords. Thirty percent are changed every quarter, found the report, while a staggering nine percent are never changed – even when staff have left the organisation.

The report also revealed that half of IT administrators do not have to obtain authorisation to access privileged accounts, which shows a general lack of control of these power identities and indeed understanding over the power that these privileges command.

Other key findings, which might sound familiar to the oft-criticised public sector, include:

• Seven out of 10 companies rely on outdated and insecure methods to exchange sensitive data when it comes to passing it between themselves and their business partners, with 35% choosing to email sensitive data, 35% sending it via a courier, 22% using FTP and four percent still relying on the postal system. Twelve percent of senior IT personnel surveyed chose to send cash in the post.

"Companies need to wake up to the fact that if they don’t introduce layers of security and tighten up who has access to vital information, by managing and controlling privileged passwords, snooping, sabotage and hacking will continue,” said Fulbrook.

Powered by Wild Apricot Membership Software