Exercise extreme caution when it comes to dismissing employees with knowledge of your IT systems. Cyber-Ark’s annual survey around “Trust, Security & Passwords” focused on 300 IT security professionals and revealed that 88 percent of IT administrators, if laid off tomorrow, would take valuable and sensitive company information with them. The target information includes the CEO’s passwords, the customer database, R & D plans, financial reports, M & A plans, and most importantly the company’s list of privileged passwords. Only 12 percent revealed that they would plan to leave empty handed.
The privileged password list, in particular, provides the keys to unlock access to every piece of information that’s on the network. Of the 88 percent that said they would take valuable information with them, one third of devious IT administrators would take the privilege password list which would give them access to all the other sensitive and valuable documents and information such as financial reports, accounts, and HR records.
Interestingly, one third of companies revealed that they believe industrial espionage and data leakage is rife, with data being leaked out of their companies and going to their competitors or criminals, usually via powerful high gigabyte mobile devices such as USB sticks, iPods, BlackBerrys and laptops – or sent over email. A quarter of companies also admitted to suffering from internal sabotage and/or cases of IT security fraud happening in their workplace – which shows just how prevalent IT security breaches are within most companies.
The survey shows that IT security is a very genuine problem for most companies, and additionally, those responsible for securing the systems are often very sloppy when it comes to basic “good housekeeping”. According to the survey, IT administrators who are often responsible for security don’t exchange or send information securely, with 35 percent choosing to send sensitive or highly-confidential information via email. Furthermore, 35 percent of those surveyed use couriers to transport sensitive data- a system only marginally safe when the information is backed up and encrypted. Astonishingly, four percent of the sample size actually uses the postal system to send sensitive information!
In spite of the billions that are currently spent on security systems to make them safe and secure, it is very hard to instill good working practices, even amongst the very people who are responsible for setting IT security standards in their own companies. One third of IT administrators surveyed admit to having written down privileged passwords on a post-it note.
The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details, M & A plans, people’s personal emails, board meeting minutes and other personal information that they were not privy to. They did this by using their privileged rights and administrative passwords to access information that is confidential or sensitive.