Peeping IT Pros
|
In April, at the Infosecurity Europe exhibition in London, Cyber-Ark Software polled 200 IT security professionals about whether IT employees peeked at personal information collected by the company. The results are ugly: |
One in three IT employees admit to snooping through company systems and peeking at confidential information such as private files, wage data, personal emails, and HR background, just by using the special administrative passwords that give IT workers privileged and anonymous access to virtually any system. One IT Administrator laughed out loud as he answered the survey, saying: "Why does it surprise you that so many of us snoop around your files, wouldn't you if you had secret access to anything you can get your hands on!"As if that weren't bad enough, the survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job, with no one to stop them.
It's a tough problem, but other organizations deal with it: The U.S. Postal Service has inspectors who make sure postal employees don't open the mail. Police departments have units that look for rogue cops. Even bar owners hire people to make sure bartenders aren't robbing the cash registers So who's minding the IT professionals?
Comments (5)
Every organization should have a comprehensive Acceptable Use of Information Resources policy, which all employees must sign and abide as a condition of employment. Among other things, employees agree not to access confidential or proprietary information out of curiosity.
Posted by Craig Herberg | June 5, 2007 12:09 PM
I don't know about the 1 in 3 that are snoops, but I just don't have the time to go searching for data that wouln't benefit me even if I found it. The other reason I never snoop is a matter of professionalism. Call it pride, call it raising the bar, I don't care. It's like stealing a candy bar. Once you've done it, you're a thief. Better to stay away. I sleep well at night.
Posted by Network Administrator | June 5, 2007 6:37 PM
I am an IT consultant and consider three characteristics paramount - professionalism, business ethics and personal moral standards. In the prime vertical market we operate in, there is real possibility of extremely easy access to large amounts of sensitive & confidential data at our client locations.
On occasion, a new client may even ask us about confidentiality issues. My answer is that we never access sensitive data unless it is absolutely necessary in context of the project, and even in such situations, it is looked at purely from the objective of accessing or using it directly for the purpose of checking functionality. In other words, the objective is never to view it to snoop for content, but rather for opersational purposes only.
Posted by Don | June 13, 2007 10:11 PM
An Acceptable Use of Information Resources Policy will stop 'em! Sure!.... especially if it's written in legalese by the general counsel's office, each section has three sentences with three subjects, two verbs, four objects and at minimum of three prepositional phrase modifiers per verb. At what point does the density of the legalese in a mandatory compliance become itself a defense against compliance? Mandatory policy agreements are seldom in english.
Posted by Dave Gowan | June 14, 2007 2:21 PM
A large part of the problem is that Personal Identifying Information (PII) is readily available in many firms test environments. Without taking precautions to mask this data, companies are activly contributing to this problem. This despite a number of current and pending laws that make the "Peeping" a violation for the company or medical institution.
Posted by Joe Santangelo | June 16, 2007 2:34 PM