Here’s what we found out from our latest one: 39% of IT admins claim that they can get unauthorized access to the most sensitive information in their organizations – including the CEO’s private documents. (Yes, we phrased that question specifically to mention CEOs).
If that doesn’t sound scary enough, as the headline of this post notes, one in five respondents assert that they’ve already accessed data they shouldn’t have.
So what does this mean at a more practical level? We asked this question – “If you thought your job was at risk would you use your admin rights to get access to layoff lists and other valuable or sensitive information?” More than one in ten (11%) answered yes.
And when asked if senior management would even know how to stop them from taking sensitive information, more than two-thirds (69%) of our IT admin respondents replied no.
We conducted this most recent survey among approximately 450 IT professionals in both North America and Europe. Respondents came from organizations of all size – though more than half (55%) work in places with more than 1,000 employees. We don’t ask any identifying questions when we do these surveys because we want people to feel that by being anonymous, they can also be honest.
These results don’t surprise me in the least. I’ve spent many years now in the IT security industry, focusing on ways to secure privileged account passwords (admin, root, etc.) that grant IT admins anonymous access to systems and applications throughout the network.
Not only do these credentials give IT professionals super user access, but it’s access that generally isn’t audited. So there’s no who-did-what-and-when forensics available when configuration settings are modified or when sensitive data is breached. And this doesn’t apply exclusively to current employees. If privileged account passwords aren’t frequently changed, you better believe former employees and contractors still have access.
Don’t expect this type of insider threat to change until executive management steps forward and demands that controls be placed over privileged account access.
If you want more details on this survey, have a look at our 2012 Security Survey page.