Who Keeps Watch on IT?

June 11, 2009 (PLANSPONSOR.com) - The biggest threat to a company's cyber security may come from the people charged with protecting an organization's online data - the IT department.

The latest poll by a Newton, Massachusetts-based information security firm found that the percentage of IT personnel getting unauthorized access to confidential employer information ticked up to 35% this year from 33% a year ago, according to a news release. Not only that, 74% said they could get around the access controls designed to block unauthorized disclosure of online data.

A news release from Cyber-Ark about its “Trust, Security & Passwords” survey, said the latest poll found a sharp increase in the number of respondents who say they would take proprietary data and information that is critical to maintaining competitive advantage and corporate security.

The survey found a six-fold increase in staff who said they would take financial reports or merger and acquisition plans and a four-fold increase in those who would take CEO passwords and research and development plans.

Ominously, one in five companies admit having experienced cases of insider sabotage or IT security fraud. Of those companies, 36% suspect that their competitors have received their company’s highly sensitive information or intellectual property.

Organizations are increasingly aware of the need to monitor privileged account access and activity, with 71% of respondents indicating that privileged accounts are partially monitored. Ninety-one percent of those who are monitored say they are "okay with their employer's monitoring activities."

Some 35% of IT administrators admitted they were using their administration rights to snoop around the network to access confidential or sensitive information. The most common areas respondents indicated they access are HR records, followed by customer databases, M&A plans, layoff lists and lastly, marketing information.

The global survey covered more than 400 senior IT professionals in the U.S. and U.K., mainly from enterprise class companies, Cyber-Ark said.

Respondents indicated they would be most likely to steal the following types of information:

Type of Information



Customer Database



Email Server Admin Account



M&A Plans



Copy of R&D Plans



CEO's Password



Financial Reports



Privileged Password List



Source: Wilimington Trust