IT's Power: Information Technology Professional's Abuse of Need-to-Know Access

By June 30, 2008

Passwords to email and other personal documents may be secure enough to deflect most eyes from glimpsing what is not theirs to glimpse, but they don't waylay one in three information technology professionals from using their privileged access to snoop into the lives of colleagues, reported MSNBC. When Cyber-Ark, a U.S.-based information security company, surveyed 300 senior IT professionals in Frankfurt, Germany, it found that 100 or more of them admitted to prying into the personal emails, board-meeting minutes and salary details of coworkers, while 47 percent said they used their admittance to look up information not germane to their jobs. Mark Fullbrook, director of Cyber-Ark's U.K. branch, released a statement with the results of the survey in which he explained how such an internal breach of privacy could so easily occur. "All you need is access to the right passwords or privileged accounts[,] and you're privy to everything that's going on within your company," he said. Fullbrook also outlined why so few employees have suspected their coworkers, the IT professionals, in the past.

"For most people," he began, "administrative passwords are a seemingly innocuous tool used by the IT department to update or amend systems."

But "to those 'in the know,'" he added, "they are the keys to the kingdom."

Cyber-Ark revealed that privileged passwords are updated far less often than user passwords. As many as 30 percent of them only get changed every quarter, with 9 percent not getting changed at all.

That means then that even if vigilant workers would assiduously reset their passwords, given the infrequency with which administrative passwords would be changed, those IT staffers who had left long before could continue to gain access into the company system.

In fact, Cyber-Ark indicated, out of 10 companies, seven relied on "outdated and insecure methods" of "exchang[ing] sensitive data": 35 percent, its survey showed, used email, 35 percent couriers and 4 percent still entrusted such information to the traditional postal system.

So regular password change and reliance on alternate information exchange is something employers will have to consider if they want to stop playing mouse to a bored, malicious or simply curious cat that seems not to be dying, but to be growing stronger.

Legal mentions © L’Atelier BNP Paribas