At a company I did work for there was a middle manager in the IT area who liked to be the person “in the know.” At meetings he always would talk about ideas or plans that otherwise he should not have been privvy to.
He had administrative rights to the personal storage directories, and also to the print queue. He finally got caught with several inches of printouts of other people’s emails and other documents that had been sent to be printed, along with other files in the personal storage directories. He admitted that he started out peeking out of curiosity, but then realized he was being left out of some key discussions and decisions, so he thought he’d help his career by keeping up on what other people were doing by looking at their stuff.
After all, he had administrative rights to those locations, right? Even though the policy stated that personnel must not try to access other people’s data unless they had a business need or had explicitly been granted access. In this guy’s mind he justified snooping by that fact that he had explicitly been given admin access.
A survey was recently done by Cyber-Ark that shows 1/3 of IT professionals ADMIT to
“snooping through company systems and peeking at confidential information such as private files, wage data, personal emails, and HR background, just by using the special administrative passwords that give IT workers privileged and anonymous access to virtually any system. One IT Administrator laughed out loud as he answered the survey, saying: “Why does it surprise you that so many of us snoop around your files, wouldn’t you if you had secret access to anything you can get your hands on!”
As if that weren’t bad enough, the survey found that more than one-third of IT professionals admit they could still access their company’s network once they’d left their current job, with no one to stop them.”
I’m not surprised, but it is disappointing, isn’t it? And I bet that more actually do this snooping than admitted to it.
I’m also not surprised that so many still had lingering access to systems following departure from an employer or their position within the company. The exit procedures are almost non-existent with regard to systems and applications access at most companies. There are often so many different ways in which IT folks have remote access into systems that often at least one of the paths usually does not get shut off.
The survey also revealed:
* 20% admitted that they rarely changed their administrative passwords & 7% said they NEVER changed them.
* 8% of IT professionals said they never changed the manufacturers default admin password on critical systems.
* 57% store their administrative passwords manually on post-it notes; 18% store them in a spreadsheet
* 15% of the companies had experienced insider sabotage
Yes, the insider threat is very real indeed.
Folks who have trusted access must have additional controls established, and they must have targetted training and ongoing awareness.
Admin ID activity should be logged and audited.
Most folks are generally curious by nature, and most will do things because of that curiosity if they think they will not get caught.
IT personnel with trusted access must be well aware of the code of ethics within your organization, and they must be reminded on an ongoing basis that just because they CAN peek at sensitive information doesn’t mean they SHOULD…in fact, they must know that this is against the code of ethics, against information security policy, and if they are caught doing it they will have strong sanctions applied.
The IT manager at the beginning of my post was put into a different position, at the same salary, upon discovery of his snooping activities; one he absolutely hated. It had no admin capabilities, and very little access to any IT resources, as well as almost no access with other personnel. He soon resigned.
Tags: awareness and training, ethics, Information Security, insider threat, IT compliance, logging, policies and procedures, privacy