35pc of IT staff admit to snooping


10 Jun 2009

Over a third of IT staff use their administrator rights to have a peek at confidential company information, including customer databases and HR lists, according to a recent survey carried out by security software firm Cyber-Ark on 400 senior IT professionals in mainly enterprise-class firms across the UK and US.

Aside from 35pc of IT staff saying that they accessed private company data without authorisation, 74pc said that, should they want to, they would be able to completely circumvent security measures in place to cut off access to internal data; in other words, sabotage is easy.

What is even more revealing is the apparent impact that the economic downturn has had upon this kind of activity. When surveyparticipants were asked what they would take with them if they left a company, there was a six-fold increase from the previous year’s survey in those saying that they would take financial reports or merger and acquisition plans, while four times as many said they would swipe the CEO’s password and R&D plans.

More startling information emerged from the survey: a fifth of companies taking part said they had fallen victim to insider sabotage or IT security fraud, with 36pc feeling pretty sure that their competitors has received either sensitive information of intellectual property from current or ex-staff.

And here’s a funny one: 71pc of survey respondents said that staff with privileged accounts were being ‘partially monitored’, and 91pc of those being monitored were okay with this. Well, they would be, wouldn’t they; 74pc of them admitted that they had ways of getting around the monitoring software if they needed to.

“This survey shows that while most employees claim that access to privileged accounts is currently monitored, and an overwhelming majority support additional monitoring practices, employee snooping on sensitive information continues unabated,” said Udi Mokady, CEO of Cyber-Ark.

“Unauthorised access to information such as customer credit-card data, private personnel information, internal financial reports and R&D plans leaves a company vulnerable to a severe data leak, with the risk of financial or regulatory exposure and damage to its brand, or competitors obtaining critically important competitive information.

“Cyber-Ark is committed to raising awareness around the risk of unmanaged privileged accounts. While seemingly innocuous, these accounts provide workers with the ‘keys to the kingdom’, allowing them to access critically sensitive information, no matter where it resides,” Mokady said.

“Businesses must wake up and realise that trust is not a security policy; they have an organisational responsibility to lock down sensitive data and systems, while monitoring all activity, even when legitimate access is granted,” he added.

By Marie Boran