Survey reveals culture of IT admin snooping

A third of IT admins had looked up information such as executives' passwords

Over a third of IT staff have used their administration rights to access privileged information about employees, customers and their company for personal reasons, according to a recent survey by Cyber-Ark.

Despite the rise in high-profile data leaks over the past year, the survey of 400 IT administrators found that 35 per cent had abused their admin rights, up slightly from 33 per cent in the same survey a year ago.

The most common information being accessed is HR records, followed by customer databases, merger and acquisition (M&A) plans, redundancy lists and marketing information.

Cyber-Ark's 2009 Trust, Security & Passwords report also identified a dramatic rise in the number of respondents who would take proprietary data and information with them if they were fired, as well as a change in the type of information they would take.

The survey found a six-fold increase in the number of staff who would take financial reports or M&A plans, and a four-fold increase in those who would take chief executives' passwords, and research and development (R&D) plans. Other targets included customer databases, email server admin accounts and privileged password lists.

Although most companies appear to have some sort of monitoring of privileged account access and activity, three-quarters of respondents claimed that they could get round them if they wanted to.

"This survey shows that, while most employees claim that access to privileged accounts is currently monitored, and an overwhelming majority support additional monitoring practices, employee snooping on sensitive information continues unabated," said Udi Mokady, chief executive at Cyber-Ark.

"Unauthorised access to information such as customer credit card data, private personnel information, internal financial reports and R&D plans leaves a company vulnerable to a severe data leak with the risk of financial or regulatory exposure and damage to its brand, or competitors obtaining critically important competitive information."

The research also revealed that one in five companies admitted to having been the victim of some kind of insider sabotage or IT security fraud. Over a third of these suspect that their competitors have received highly sensitive information or intellectual property as a result.

"Businesses must wake up and realise that trust is not a security policy. They have an organisational responsibility to lock down sensitive data and systems, while monitoring all activity even when legitimate access is granted," concluded Mokady.