At my company we often say that “privileged identities hold the keys to the IT kingdom.” After all, an admin who knows his organization’s privileged account passwords can access systems with highly sensitive data, install or remove applications and files, and change configuration settings virtually anywhere on the network – all while remaining anonymous to auditors and management.
It’s a message we’ve preached to the IT community for years, though I’ve often wondered if it falls on deaf ears. Now, our latest survey* reveals that a significant percentage of IT administrators (42%) – across diverse regions and industries – say they can indeed access any information in their networks at will, including their CEO’s private files. And, these IT professionals claim that they can do so without senior management ever realizing the extent of their access.
Here are the highlights of the survey:
- 78% of the technology professionals interviewed admitted they could walk out of the office taking highly sensitive information with them.
- 39% confirmed that that their management does not have the faintest idea what IT can and cannot access.
- Approximately one-third of respondents said they’d still be able to access sensitive information long after leaving the company.
While these figures may seem staggering, they’re exactly what I would expect. Here’s the analogy I use: Years ago, the most sensitive data in an organization was locked away in a filing cabinet accessible to one or two trusted key holders. Today, that data is “locked away” in a virtual filing cabinet, but few companies realize just how many people have keys to this cabinet. And as long as this practice persists, you can anticipate reading a lot more news stories about insider data breaches.
Are you surprised by these survey results? Share your thoughts by commenting below. You can also follow me on Twitter: @liebsoft.
*The survey took place at Infosecurity Europe 2011 and RSA Conference 2011. Nearly 500 IT professionals participated anonymously.