Portal Home | IS News Menu | Portal Menu | ISB Menu | Main Content
IT-Powered Nosiness
30 May 12:49

One in three tech workers admit to using special IT privileges to peek at YOUR confidential data.

Survey reveals that whilst you sit at your desk working innocently away, one in three of your IT work colleagues are snooping through company systems, peeking at confidential information such as your private files, wage data, personal emails, and HR background, just by using the special administrative passwords that give IT workers privileged and anonymous access to virtually any system.

One IT Administrator laughed out loud as he answered the survey, saying: Why does it surprise you that so many of us snoop around your files, wouldnt YOU if you had secret access to anything you can get your hands on! These are the findings of a survey released by Cyber-Ark Software, who carried out the research at last months Infosecurity Exhibition as part of their annual survey into Trust, Security and Passwords. As if that werent bad enough, the survey found that more than one-third of IT professionals admit they could still access their companys network once theyd left their current job, with no one to stop them.

More than 200 IT professionals participated in the survey with many revealing that although it wasnt corporate policy to allow IT workers to access systems after termination, still over one-quarter of respondents knew of another IT staff member who still had access to sensitive networks even though theyd left the company long ago.

Post-It Notes: The IT Favourite for Storing Passwords
It seems that very little changes year over year more than half of people still keep their passwords on a Post-It note, in spite of all the education and reminders to do differently. Whats shocking about this years annual survey was that the 50 per cent number now applies to IT Professionals as well! More than half of respondents admitted to using Post-It notes to store administrative passwords.

As one IT Administrator explained: Sure, its easy for an employee to update the personal password to their laptop, but to change the Administrator password on that same machine? It would take days for IT to do them all by hand. In the end, we just pick one password for all the systems and write it down. And where do they write it? On a Post-It note.

Administrative Passwords Rarely Get Changed
One-fifth of all organisations admitted that they rarely changed their administrative passwords with 7 per cent saying they NEVER change administrative passwords. This may explain why one-third of all people questioned would still have access to their network even if theyd left the company. 8 per cent of IT professionals revealed that the manufacturers default admin password on critical systems had never been changed, leaving a commonly used backdoor open for hackers.

Passwords Stored Insecurely
The survey also shows that the majority of companies mismanage the storage of administrative passwords by keeping them in unsecured locations and hence not controlling access to these critical codes. 57 per cent of companies store their administrative passwords manually, 18 per cent store them in an excel spreadsheet (which are notoriously insecure and easy to access), and 82 per cent of IT professionals store them in their heads hindering security efforts, business continuity, as well as the auditing, controlling and managing of passwords. In the event that the keeper of these critical administrative passwords is unavailable or loses the location of the passwords, it can cause massive disruption and hours of lost productivity.

In other words, dont throw out any Post-It notes laying around the IT department you may never get into your workstation again!

Insider Sabotage More Prevalent
15 per cent of companies interviewed had experienced insider sabotage, which is not surprising considering that over one-third of IT staff report using administrative passwords to snoop around corporate systems. Even worse, such snooping can turn ugly when IT workers feel disgruntled, aggrieved and especially after theyve been fired. According to a recent study by Carnegie Mellon University, the most common insider attack is by a disgruntled IT employee using anonymous access from a privileged account.

Calum Macleod European Director for Cyber-Ark said: Its surprising to find out how rife snooping is in the workplace. Gone are the days when you had to break into the filing cabinet in the personnel department to get at vital and highly confidential information. Now all you need to have is the administrative password and you can snoop around most places, and it appears that is exactly whats happening. Companies need to wake up to the fact that if they dont introduce layers of security, tighten up who has access to vital information, and manage and control privileged passwords, then snooping, sabotage and hacking will continue to be rife!
[Funnily, when I was a part-time sysop on my university's IBM mainframe in 1964 the situation was exactly the same... --Ed].

Related links: (Open in a new window.)
External link www.cyber-ark.com/

View Printable View printable version (opens in new window)
Back Back