Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Monday, 23 June 2008 06:37

Warning: IT staff snooping on confidential data!

Do you trust your IT staff to do their jobs and mind their own business? If so, you could be in for a scandalous shock, as a third of whom have inexplicably volunteered in a survey that they’re looking at highly confidential data, sometimes even after they’ve left the company. Time to be alert – and alarmed!

Do you trust your IT staff? That’s a question every company now needs to ask itself in light of a survey from security company Cyber-Ark, which unveils some very shocking findings: your IT staff are spying on you.

Of course, not all IT staff are doing that, but one third of 300 senior IT professionals surveyed at the recent “Infosecurity Expo 2008” event showed they were really IT unprofessionals, “snooping around the network, looking at highly confidential information including salary details, M&A plans, the personal emails of others, board meeting minutes and other personal information”.

Cyber-Ark’s annual survey is called “Trust, Security and Passwords”, and it reached out to IT professionals mainly from companies employing over 1000+ employees to take part.

When one third of those surveyed freely admit “to using their privileged rights to access information that is confidential or sensitive by using the administrative passwords as a means of peeking at information that they are not privy to”, we’re talking about a major security breach.

Worse still, of those 300 surveyed, 47% admitted to accessing information that was not relevant to their role.

Not only are some of these IT staff an active danger to the security of the companies that employ them – they’re admitting so in a survey which will have its results made public!

That’s highly careless in itself, why are these IT staff so willing to admit their transgressions to third parties, even if their identities are anonymous? Few companies will be willing to accept their IT department’s assurances that security and privacy of information is being respected now.

Mark Fullbrook, UK Director of Cyber-Ark says "When it comes down to it, IT has essentially enabled snooping to happen! It's easy - all you need is access to the right passwords or privileged accounts and you're privy to everything that's going on within your company.”

Fullbrook continues: “Gone are the days when you had to photocopy sheets of information with your customer database on it, or pick the lock to the salaries drawer! In some organisations there is little understanding or lack of controls in place to manage workers access to systems.”

Next up on page 2: What else are supposedly trusted IT people getting up to behind your back... and the worrying news that your strong password regime could actually be startlingly weak.

”For most people, administrative passwords are a seemingly innocuous tool used by the IT department to update or amend systems. To those "in the know" they are the keys to the kingdom and if unprotected or fall into the wrong hands wield a great deal of power. This could include highly sensitive information such as merger plans, the CEO's emails, company accounts, marketing plans, legal records, R & D plans etc,” continued Cyber-Ark’s Mark Fullbrook.

But that’s not all. Cyber-Ark has disclosed that IT staff have made another startling admission: That privileged passwords aren’t changed, or get changed infrequently - and a lot less often than user passwords!

This is an absolutely outrageous finding which gets worse: Cyber-Ark says that: “thirty percent get changed every quarter and a staggering 9% never get changed, giving access indefinitely to all those who know the passwords, even when they've left the organisation.”

So your IT staff go out the door and still have access? What if they’ve gone to work for a competitor or simply feel like being malicious? Some companies could be being seriously affected, while having no idea where the hits are coming from.

Cyber-Ark then asks who is managing the privileged passwords. Turns out that “half of IT administrators do not have to get authorisation to access privileged accounts, which shows a general lack of control of these power identities and indeed understanding over the power that these privileges command.”

Cyber-Ark’s last findings then show how many companies and its employees are still living in a sloppy, security-weak 20th century world when it comes to handling and exchanging sensitive data, instead of using 21st century technology to keep data highly secure.

The survey shows that 70% of companies continue to rely on “out-dated and insecure
methods to exchange sensitive data when it comes to passing it between themselves and their business partners”.

Regular old email is being used by 35% to exchange “sensitive data”, couriers are used by another 35%, FTP is the choice of 22% and the postal system is the choice of 4%.

And 12% of “senior IT personnel” that were interviewed also admitted to sending cash in the post. You’d think they’d do an electronic bank transfer, or even use the dreaded Paypal. Hey, they could even write a cheque. But no! They’re sending cash.

It's clear that not ALL IT security professionals out there are acting in an unprofessional manner. But the fact that so many have happily admitted to cyber snooping means that companies need to be much stricter about security than they are today.

As Cyber-Ark’s Mark Fullbrook concludes "As we have seen many use their privileged passwords without having to seek authorisation, and if the price is right what's stopping them from choosing to trade information to the highest bidder. Companies need to wake up to the fact that if they don't introduce layers of security and tighten up who has access to vital information, by managing and controlling privileged passwords, snooping, sabotage and hacking will continue."


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Alex Zaharov-Reutt

One of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.



Recent Comments