IT staff regularly snooping on users

IT employees are peeking at confidential information such as private files, salary information and personal emails

One in three IT employees admits to snooping on company systems, peeking at confidential information such as private files, salary information and personal emails, it was claimed today.

The "worrying" findings of a survey carried out by security firm Cyber-Ark include IT pros abusing administrative passwords that give them privileged and anonymous access to virtually any system.

The survey reported that more than one third of IT professionals admit that they were still able to access their company network after they had left their job.

More than 200 IT professionals participated in the poll, which was carried out at last month's Infosecurity Exhibition.

Many revealed that, although it was not corporate policy to allow IT workers to access systems after termination, over one quarter of respondents knew of an IT staff member who still had access to sensitive networks after leaving the company.

IT professionals are also failing to follow their own advice. While more than half of employees still keep their passwords on a Post-It note, 50 per cent of these are IT professionals.

More than half of respondents admitted to using Post-It notes to store administrative passwords.

Furthermore, one fifth of all organisations admitted that they rarely change their administrative passwords, and seven per cent never change them.

Even eight per cent of IT professionals revealed that the manufacturer's default admin password on critical systems had never been changed, which remains the most common way for hackers to break into corporate networks.

Gary McKinnon, who is waiting to be extradited to the US for gaining entry to 90 computers at the US Department of Defense by scanning systems for blank administrator accounts, was quoted in the report.

"The easiest way to infiltrate a company's network is to look for administrative passwords which are left blank, still have the manufacturer's default password or just use obvious names," McKinnon was quoted as saying.

"Once you find these, which are unbelievably simple and common to find, you are into the system and have the highest level of authority. Bingo, you've got control of the company's system."

Calum Macleod, European director at Cyber-Ark, said: "It is surprising to find out how rife snooping is in the workplace.

"Gone are the days when you had to break into the filing cabinet in the personnel department to get at vital and highly confidential information.

"Now all you need is the administrative password and you can snoop around most places, and it appears that is exactly what's happening."