Is your data safe? Survey reveals scandal of snooping IT staff

Results of a recent study reveal the hidden scandal of IT staff snooping at the confidential information of other employees. The research was carried out at last spring's Infosecurity Exhibition Europe as part of an annual survey into "Trust, Security and Passwords."

Here's what the results showed: One in three of IT employees admit to snooping through company systems and peeking at confidential information such as private files, wage data, personal e-mails, and HR background, just by using the special administrative passwords that give IT workers privileged and anonymous access to virtually any system. One IT administrator laughed out loud as he answered the survey, saying: "Why does it surprise you that so many of us snoop around your files; wouldn't you if you had secret access to anything you can get your hands on?"

As if that weren't bad enough, the survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job, with no one to stop them.

More than 200 IT professionals participated in the survey with many revealing that although it wasn't corporate policy to allow IT workers to access systems after termination, over one-quarter of respondents knew of another IT staff member who still had access to sensitive networks even though they'd left the company long ago.

Post-It Notes: The IT favorite for storing passwords

It seems that very little changes year after year - more than half of people still keep their passwords on a Post-It note, in spite of all the education and reminders to do differently. What's shocking about this year's annual survey was that the 50 percent number now applies to IT professionals as well! More than half of respondents admitted to using Post-It notes to store administrative passwords, the super-powerful codes pre-built into every system such the administrator ID on your local workstation.

As one IT administrator explained: "Sure, it's easy for an employee to update the personal password to their laptop, but to change the administrator password on that same machine? It would take days for IT to do them all by hand. In the end, we just pick one password for all the systems and write it down."

And where do they write it? A Post-It note.

Administrative passwords rarely get changed

One-fifth of all organizations admitted that they rarely changed their administrative passwords with 7 percent saying they NEVER change administrative passwords. This may explain why one-third of all people questioned would still have access to their network even if they'd left the company. Eight percent of IT professionals revealed that the manufacturer's default admin password on critical systems had never been changed, which remains the most common way for hackers to break into corporate networks.

Gary McKinnon who has been named as the "most profligate military hacker of all time" (and is still waiting to be extradited to the U.S.) for gaining entry to 90 computers at the U.S. Department of Defense by scanning the U.S. military computer systems for blank administrator accounts says: "The easiest way to infiltrate a company's network is to look for administrative passwords which are left blank, still have the manufacturer's default password, or just use obvious names. Once you find these, which are unbelievably simple and common to find, you're into the system and have the highest level of authority - bingo you've got control of the company's system."

Passwords stored insecurely

The survey also shows that the majority of companies mismanage the storage of administrative passwords by keeping them in unsecured locations and hence not controlling access to these critical codes. Fifty-seven percent of surveyed companies store their administrative passwords manually, Eighteen percent store them in a Microsoft Excel spreadsheet (notoriously insecure and easy to access), and 82 percent of IT professionals store the passwords in their heads - hindering security efforts, business continuity, as well as the auditing, controlling and managing of passwords. In the event that the keeper of these critical administrative passwords is unavailable or loses the location of the passwords, it can cause massive disruption and hours of lost productivity.

Words of advice: Don't throw out any Post-It notes laying around the IT department… you may never get into your workstation again!

Insider sabotage more prevalent

Fifteen percent of companies interviewed had experienced insider sabotage, which is not surprising considering that over one-third of IT staff report using administrative passwords to snoop around corporate systems. Even worse, such snooping can turn ugly when IT workers feel disgruntled, aggrieved, and especially after they've been fired. According to a recent study by Carnegie Mellon University, the most common insider attack is by a disgruntled IT employee using anonymous access from a privileged account.

Calum Macleod, European Director for Cyber-Ark, a Newton, MA-based information security company, said: "It's surprising to find out how rife snooping is in the workplace. Gone are the days when you had to break into the filing cabinet in the personnel department to get at vital and highly confidential information. Now all you need to have is the administrative password and you can snoop around most places, and it appears that is exactly what's happening. Companies need to wake up to the fact that if they don't introduce layers of security, tighten up who has access to vital information, and manage and control privileged passwords, then snooping, sabotage and hacking will continue to be rife!"

You may like these other stories...

The IRS has announced the special per diem rates for 2014-15 that taxpayers can use for substantiating the amount of ordinary and necessary business expenses incurred while traveling away from home. The new per diem rates...
The issue of international assignees was, for a long time, limited to a small number of companies – meaning only those that operated on an international scale. But in recent years, global expansion has shifted into...
Exclusive: Lois Lerner breaks silenceIn her first press interview since the IRS Tea Party targeting scandal broke 16 months ago, ex-agency official Lois Lerner told Politico that employers won’t hire her, she’s...

Already a member? log in here.

Upcoming CPE Webinars

Sep 24
In this jam-packed presentation Excel expert David Ringstrom, CPA will give you a crash-course in creating spreadsheet-based dashboards. A dashboard condenses large amounts of data into a compact space, yet enables the end user to easily drill down into details when warranted.
Sep 30
This webcast will include discussions of important issues in SSARS No. 19 and the current status of proposed changes by the Accounting and Review Services Committee in these statements.
Oct 21
Kristen Rampe will share how to speak and write more effectively by understanding your own and your audience's communication style.
Oct 23
Amber Setter will show the value of leadership assessments as tools for individual and organizational leadership development initiatives.