IT Snooping of Confidential Information

A study by Cyber-Ark Software of 200 IT professionals indicates that IT employees are using their special administrative access to look at confidential employee data. IT employees are given special administrative passwords to access confidential information anonymously, and the anonymity is making them bold.

One in three IT employees admit to snooping in company systems to look at confidential information: private files, wage data, personal emails, and HR background. Additionally, one third admitted that they could still access this confidential information once they had left their job with the company. 15% of the companies interviewed had experienced insider sabotage, which in part can be attributed to the phenomenon of ”IT snooping.”

The study also revealed that 50% of IT professionals store their administrative passwords on Post-It notes. Administrative passwords are essentially the “master keys” to stored information. Given that these passwords are not tracked, this poses a major security risk.

As one IT Administrator explained: “Sure, it’s easy for an employee to update the personal password on their laptop, but to change the Administrator password on that same machine? It would take days for IT to do them all by hand. In the end, we just pick one password for all the systems and write it down.”

The storage of administrative passwords needs to be well managed. Not only should the passwords be changed regularly and diverse across the system, but they should be stored securely. Simply remembering the passwords is a non-secure practice as it hinders password administration and can cause problems with employee turnover.

Given that one password is used for all machines, this poses a significant security risk itself and one would expect that these passwords would be changed regularly. However, one-fifth of all organizations admit they rarely change the administrative passwords, with 7% saying they never change them, and 8% admitting the default manufacturer admin password has never been changed. This, in part, explains why past employees can continue to obtain access to private systems.

Matt Hines of InfoWorld sums up these issues well:

The study not only backs up the idea that insiders do represent a significant threat to corporate data, but also that some IT people are openly lecherous.

In a broader sense, the study also validates the idea that companies aren’t sufficiently watching the activity of their IT administrators.

Neither current nor past employees should have such universal and untraced access to information. Companies need to restrict access to vital information, manage passwords more effectively, and add further security layers to deter not only snooping, but sabotage, hacking and potential data breaches.

Tags: password storage, password administration, it snooping, admin password, computer password, password management, confidential information, internal sabotage, it security, business security, data security