One third of IT staff use their privileged rights to secretly peek at confidential data on the network – including salary details, plans for mergers and acquisitions and personal emails.
That’s chief among the findings of a survey released by digital vaulting software firm Cyber-Ark, which carried out its research at the recent Infosecurity Expo 2008, as part of its work on trust, security and passwords.
It also reveals that almost half (47%) have accessed information not relevant to their role.
Mark Fullbrook, UK director of Cyber-Ark, says: “When it comes down to it, IT has essentially enabled snooping to happen. It’s easy – all you need is access to the right passwords or privileged accounts and you’re privy to everything that’s going on within your company.”
Which is another point: Cyber-Ark’s survey finds privileged passwords are still rarely changed – much less frequently than user passwords. The research suggests that 30% are changed every quarter, while 9% are never changed.
“For most people, administrative passwords are a seemingly innocuous tool used by the IT department to update or amend systems,” says Fullbrook. “To those in the know they are the keys to the kingdom and if unprotected, wield a great deal of power.”
And with fully half of IT administrators not requiring authorisation to access privileged accounts, the door in many companies appears to be wide open.
“Companies need to wake up to the fact that if they don’t introduce layers of security and tighten up who has access to vital information, by managing and controlling privileged passwords, snooping, sabotage and hacking will continue,” warns Fullbrook.