0

A survey by secure data specialists Cyber-Ark Software has revealed that the least trustworthy members of staff include temps, cleaners, security guards and the board of directors. PR, marketing and sales staff were also low on the list. At the other end of the trust scale, the personnel and legal departments along with the boss's secretary were flying high.

The most trustworthy were considered to be IT staff. But are they really?

The fact that the survey was conducted amongst office workers consisting predominantly of IT personnel may well have influenced the results, of course. But interestingly, the IT crowd gave themselves away in their comments with 1 in 3 admitting they abuse their privileges by using admin passwords to snoop on confidential data.

One fairly typical comment being "so I know some personal stuff about my co-workers but who cares? Sales and marketing are constantly making things up about our products. That's so much more dangerous to our company than me knowing how much Viagra the COO ordered last month - okay it's a bit cheeky snooping around other peoples email systems but at least I'm not lying! I also don't trust the board of directors who trump up figures just to please the shareholders and just like politicians only tell us what they want us to know."

Another IT Administrator laughed out loud as he answered the survey, saying: "Why does it surprise you that so many of us snoop around your files, wouldn't you if you had secret access to anything you can get your hands on!"

It should not come as any great surprise that workers don't trust the board of directors, after all executives dipping into company funds and falsifying the accounts is not an uncommon experience. Take the recent example of Stephen Richards, the former head of sales for Computer Associates in the UK, imprisoned for 7 years for conspiracy, securities fraud, perjury and obstruction of justice.

But research conducted for the US Department of Defense by Carnegie Mellon University, has discovered that it is more often not the stereotypical cleaners and security guards that are the most untrustworthy within an organization. Nor, for that matter, the board of directors. So who is the real villain of the piece? Yes, you guessed it, the IT worker. Because they can attack the company from inside using privileged passwords to access systems, and just as importantly can do their damage without detection, IT staff should be most feared.

The Cyber-Ark survey also found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job, with no one to stop them.

Calum Macleod, European Director for Cyber-Ark, told me "in an organization you never know who you can trust! There is increasing evidence to show that most breaches are carried out by insiders who are those people you least suspect such as the temporary staff who may be paid by your competitors to extract vital information. The findings of this survey show that there is distrust across all groups of workers and our advice to companies who need to protect sensitive information is to encrypt it, lock it away in a digital safe and make sure that you only allow staff to have access to what they need, by creating layers of security on your network. It is time companies take stock of who they employ and don't naively allow staff general access to everything and anything. Often people can do more damage than you can imagine just at the click of a mouse so it's worth sitting up and taking note of just who has access to what, researching your vulnerabilities and then locking down and securing not only your physical backdoors but also your virtual ones."

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

3
Contributors
3
Replies
4
Views
9 Years
Discussion Span
Last Post by bregalad
0

I would not trust any findings from Cyber-Ark unless they have been audited or validated by a external source.

Cyber-Ark keep scoming with surverys that are skewed towards their product (not un-common for software companies). In Cyber-Ark's case the surveys are just made up not based on any facts.

0

The Carnegie Mellon research would seem to back up the idea that IT staff are the least trustworthy, which is the point I was making here. In fairness, Cyber Ark did highlight some of the comments of IT staff in their own survey which showed how the results were skewed somewhat.

0

knowing passwords is not the same as untrustworthyness

the kind of mind that can remember an improbable series of steps to coercing a computer into accomplishing a specific task is the kind of mind that can't help remembering an improbable series of letters if once told it or for that matter forced to use it repeatedly in association with a specific task/situation/user

giving passwords to known untrustworthy agents on the other hand isn't wise. and anything considered sensitive should be protected, not only against prying eyes but also from worms and Trojans

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.