Warning: IT staff snooping on confidential data!

Alex Zaharov-Reutt
Monday, 23 June 2008 07:37

Opinion and Analysis

”For most people, administrative passwords are a seemingly innocuous tool used by the IT department to update or amend systems. To those "in the know" they are the keys to the kingdom and if unprotected or fall into the wrong hands wield a great deal of power. This could include highly sensitive information such as merger plans, the CEO's emails, company accounts, marketing plans, legal records, R & D plans etc,” continued Cyber-Ark’s Mark Fullbrook.

But that’s not all. Cyber-Ark has disclosed that IT staff have made another startling admission: That privileged passwords aren’t changed, or get changed infrequently - and a lot less often than user passwords!

This is an absolutely outrageous finding which gets worse: Cyber-Ark says that: “thirty percent get changed every quarter and a staggering 9% never get changed, giving access indefinitely to all those who know the passwords, even when they've left the organisation.”

So your IT staff go out the door and still have access? What if they’ve gone to work for a competitor or simply feel like being malicious? Some companies could be being seriously affected, while having no idea where the hits are coming from.

Cyber-Ark then asks who is managing the privileged passwords. Turns out that “half of IT administrators do not have to get authorisation to access privileged accounts, which shows a general lack of control of these power identities and indeed understanding over the power that these privileges command.”

Cyber-Ark’s last findings then show how many companies and its employees are still living in a sloppy, security-weak 20th century world when it comes to handling and exchanging sensitive data, instead of using 21st century technology to keep data highly secure.

The survey shows that 70% of companies continue to rely on “out-dated and insecure
methods to exchange sensitive data when it comes to passing it between themselves and their business partners”.

Regular old email is being used by 35% to exchange “sensitive data”, couriers are used by another 35%, FTP is the choice of 22% and the postal system is the choice of 4%.

And 12% of “senior IT personnel” that were interviewed also admitted to sending cash in the post. You’d think they’d do an electronic bank transfer, or even use the dreaded Paypal. Hey, they could even write a cheque. But no! They’re sending cash.

It's clear that not ALL IT security professionals out there are acting in an unprofessional manner. But the fact that so many have happily admitted to cyber snooping means that companies need to be much stricter about security than they are today.

As Cyber-Ark’s Mark Fullbrook concludes "As we have seen many use their privileged passwords without having to seek authorisation, and if the price is right what's stopping them from choosing to trade information to the highest bidder. Companies need to wake up to the fact that if they don't introduce layers of security and tighten up who has access to vital information, by managing and controlling privileged passwords, snooping, sabotage and hacking will continue."