There’s an interesting piece of research from Cyber Ark that suggest that the majority of IT administrators would, if laid off, take confidential information with them. The target information includes the CEO’s passwords, the customer database, R&D plans, financial reports, M&A plans and most importantly the company’s list of privileged passwords.
The research entitled “Trust, Security & Passwords” looks at the current volatility in the market and the fact that there will inevitably be job losses among IT personnel, despite the skills shortage. Extrapolating that some of the people who might lose their jobs in such a situation may not be happy about it, the survey seems to have asked, reasonably, what would such people do with their privileged position before being escorted from their desks.
Well it appears that 88% would leave with some of the aforementioned crown jewels. Only 12% said that they take nothing but their dignity.
Now while this is a fairly damning indictment of the IT fraternity, one might also ask, why would anyone have such access, unfettered? Why would procedures be so bad as to have one person who could, if disgruntled, make away with such valuables?
This story on the face of it seems to be about the IT people as the bad guys, but if one scratches the surface, it also seems to be an indictment of the practices allowed to proliferate that would see someone, anyone, walk out of an organisation with sensitive information.
Surely monitoring systems should be in place to log access to sensitive information, even if it is by someone with administration privileges? Should such logs not be independently reviewed and audited by someone other than an IT administrator to ensure that everything was shipshape and Bristol fashion?
To me, this story more reflects the laxity that has been allowed to creep into such things due to the fact that c-suite people, for the most part, can’t seem to be bothered to fully acquaint themselves with the necessary understanding of information systems to know that such monitoring is in place, in operation and regularly reviewed by someone who can make sense of it.
Then surely if angry Bob, the serving-out-his-notice admin, is detected browsing the latest R&D titbits or just looking up the CEO’s personal e-mail, that he is called to account to explain himself, and hopefully before he goes to That Place Next Door Inc, who have just announced a product surprisingly similar to the one you’ve just spent €2 billion developing.
Data protection is not just about threats from without, but also about threats from within. When an operative turns rogue, whose fault is it if they had too many access privileges in the first place?
Watch the watchers. The world is too cynical for a noble lie to be effective anymore.
Subscribers 0
Fans 0
Followers 0
Followers