IT Protects the Network, But Who Protects the Network from IT?
Businesses have gigabytes upon gigabytes of sensitive and confidential data archived on servers, storage arrays, or backup media. Those companies rely on the expertise of information security professionals to protect that data and prevent unauthorized access. The question, though, is "who is protecting the sensitive and confidential data from the information security professionals?"
Cyber-Ark Software has compiled its fourth annual "Trust, Security and Passwords" survey and has uncovered unsettling statistics that companies may find concerning. The survey--conducted with 400 IT administrators and information security professionals at Infosecurity Europe 2010 and RSA USA 2010--found that those entrusted to protect the data may be one of the bigger threats to it.
A Cyber-Ark Software press release explains "The survey found that 67 percent of respondents admitted having accessed information that was not relevant to their role. When asked what department was more likely to snoop and look at confidential information, more than half (54 percent) identified the IT department, likely a natural choice given the group's power and broad responsibility for managing multiple systems across the organization."
There was a distinct spike in respondents--from 33 percent up to 41 percent--confessing to abusing administrative passwords to snoop on sensitive or confidential information they should not have access to. IT administrators in the United States seem most interested in the customer database, while IT administrators from the UK seem more likely to examine HR records.
IT administrators responding to the survey admit that organizations seem to be putting forth more effort to monitor privileged access and curb unauthorized snooping. However, a majority of IT administrators and information security professionals are confident they can circumvent those controls if they choose. The good news is that the percentage of respondents that feel they can circumvent attempts to monitor their actions on the network dropped from 77 percent to 61 percent.
When combined with other studies and surveys, the results paint a rather bleak picture for protecting information from the threat of inside attacks and unauthorized access. A Poneman Institute survey in early 2009 found that "nearly 60 percent of employees who quit a job or were asked to leave over the last year stole some form of company data."
A Compuware Study in 2008 found that less than one percent of data breaches were the work of external hackers, while negligent (or malicious) insiders were the cause of three quarters of the data breach incidents.
Speaking about the results, Cyber-Ark's Executive Vice President Americas and Corporate Development Adam Bosnian commented in the press release to say, "While we understand that human nature and the desire to snoop may never be something we can totally control, we should take heart that fewer are finding it easy to do so, demonstrating that there are increasingly effective controls available to better manage and monitor privileged access rights within organizations. With insider sabotage on the increase, the time to take action has already passed and companies need to heed the warnings."
IT administrators and information security professionals--at least the ones with the moral fiber and ethical nature not to be their own worst enemy--should be aware that the insider threat is much more prevalent and much harder to detect and prevent than external threats. Businesses need to put controls in place to monitor privileged access to sensitive data and guard against the insider threat.