Nosy IT staff becomes biggest privacy threat
August 25, 2008 by Sam NarisiPosted in: IT staffing, Security and law, Special Report
No one on your company’s IT staff would access confidential information about co-workers without permission, right?
Are you sure?
One third of IT employees admit to using their access rights to view sensitive and private information in company databases, according to a recent survey by Cyber-Ark.
Common types of data perused: employee e-mail, salaries and contact info.
To make matters worse, the survey found 30% of companies change their privileged access passwords only once a quarter — and 9% never change them. That means the snooping can continue even after a staffer changes roles or leaves the company.
Dealing with insider threats
Of course, most technology employees wouldn’t think of doing anything disruptive, illegal or unethical. But as recent news stories have shown — like the one about the techie in San Francisco who blocked access to the city’s network and refused to hand over the password — there are some bad apples out there.
To protect private data, HR and IT management need to work together to make sure tech employees are following the rules. Here are some preemptive steps to take:
- Perform reference/background checks — Checking applicants’ history is one way to keep out IT staffers who might abuse their access privileges.
- Make sure the rules are clear — IT employees can be more likely to violate policies than other employees because they have a better idea of how to get around technology controls. That’s why it’s important to have rules about who can access what and discipline people who break them.
- Restrict access — Employees should only be able to view data that they need for their jobs.
- Change passwords — Passwords should be changed regularly and be complex enough to stay unpredictable. That’ll reduce the likelihood of unauthorized employees (or even ex-employees) accessing things they shouldn’t.
Tags: e-mail, IT staff, private data, security
August 26th, 2008 at 2:49 pm
As a small company, we outsource our tech support. Because they support us from a remote location, they have the ability to log onto any computer including mine. We have an HRIS so plenty of sensitive info is stored online. I’m interested in any comments anyone might have.
August 26th, 2008 at 4:03 pm
Judy:
We are in the same boat. To be blunt: we are at the mercy of our IT guy. He could do anything and we would never even know it. We either trust him or we don’t. Not very comforting, eh?
JF
August 26th, 2008 at 4:29 pm
There will always be someone in IT that can access data HR data. What one need to ensure is that it is auditable. Who went in when. This can be done using firewalls. No rule should ever be put in place unless there is a procedure to monitor viloators. It is not complicated. A seperate department or person that has a seperate chain of command should be doing the monitoring.
Just because one outsources does not restrict you from this type of monitoring. You can use lowcost software like spectersoft to monitor every keystroke and website from a PC.
August 26th, 2008 at 4:33 pm
We manage all our IT support and we have 5 people in our IT Department but only 2 have FULL access to everything. It was explained to me when I first started in IT that confidentiality is part of the job and do not abuse the power that is given you once you reach a certain level. Responsible jobs comes with much responsibility. As savy as some tech’s are there are plenty password hacking tools out there for tech’s to use so it goes back to what Judy said, you either trust them or you don’t.
JN
August 26th, 2008 at 7:48 pm
I am an IT guy and have access to EVERYTHING, but I could care less about what is in it. But I need access to EVERYTHING if I am to back up all your DATA, and your stupid pictures of your best friends wedding and your trip to Vegas and your resume you have been working on with company software for the past year. Trust me and be nice to your IT department, you never know when you may need that pic of fluffy restored to your “My Pictures” folder.
August 27th, 2008 at 10:03 am
As someone that has worked in the IT field for the past 15 years in various positions (currently an e-mail administrator) i have a few comments i would like to share. I can only speak for myself but i have no urge to look at confidential information unless i have to, and i have plenty of opportunity to do so. Personally i’m just not interested but if i was i just don’t have time for it and secondly i would fear losing my job. Everyone i know that works in IT is professional but i have heard stories of those that have abused their power. Im no security expert but i believe there are ‘watchdog’ software products out there that allow someone without administrative priviledges to monitor what is being accessed by whom etc. This includes administrative accounts (the account your IT guy can use to do just about anything he/she wants). I guess if i was in the position that you folks are in i would have a second IT guy/company that i hired to set this up and discuss your concerns with. Nothing keeps a person honest like knowing that he is being watched.
Also i think its a good idea for someone in your company to get a little training from the IT guy so someone has at least some basic understand of how things work. Good documentation from your IT person should help. What services run on what servers, account names and passwords, ports and URL’s of interest etc. Information on backups - how they are run, when they are run, where they are stored, how can they be restored etc. This isn’t directly related to your concerns about snooping but it does address some of the concerns you should have about being at the mercy of your IT person.
August 27th, 2008 at 10:30 am
I’m an IT Manager coming from the technical side, and I do agree with Mike on certain points. When you work in IT, there is an inherent understanding of the confidentiality, not just of business documents, but of personal information. It’s a privacy issue - IT workers don’t need laws to tell us that. Honestly, we couldn’t care less about confidential documents or salaries in the company, we have so many other projects to work on and we have to constantly keep up with all the changes in technology and answer every question - from the simplest home computer question to the most technical future forecast. Yes, we do shake our heads at backing up photos on stuffed to the brim hard drives on the corporate network, and watch our mail databases grow to 4 GB in size because users just don’t want to take any time to perform maintenance on their own documents and photos. Look at the relationship with IT this way - how many times would you send your meal back before you would expect spit in it? Treat IT people with respect, same as everyone else.
August 27th, 2008 at 10:58 am
I am the COM and IT manager for the company. It’s my job to make sure all systems work invisibly. That includes security. I agree with Deanna that we couldn’t care less about confidential documents, however, we do need to know who may present a security threat to the entire company. I have protocols and “watchdog” software to help manage the access. It’s tough to be taken for granted and expected to drop everything if someone hit the wrong keystroke. Nosy IT? I think that’s part of the job..Nosy=curious, curious=knowledge, knowledge=IT.
Mike, where do I send the chocolate chip cookies for you?
August 27th, 2008 at 11:09 am
Ignore the main-stream press on what happened in San Francisco. It’s mostly a management failure.
1. Management had a single person design, install, maintain critical network infrastructure.
2. Management knew person #1 was hyper-sensitive about security and protecting his work.
3. Management knew person #1 considered the rest of the staff incompetent
4. Person #1 left, but refused to give the passwords to someone he felt would break what he built. He felt so strong to protect his work he went to jail (was not holding anything for ransom)
5. The network continued to run normally, but no backbone changes could be made. The city was not shut down. That was sensationalistic press.
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/07/18/30FE-sf-network-lockout_1.html
I believe person #1 finally gave the password to the Mayor (someone who knew they weren’t technical enough to abuse it, and would take responsibility for any damage)
The root problem is there was only one guy who knew what was up. People in the above comments who mention their “IT Guy” (singular) could be in the same boat. You need some cross training or you’re playing with fire.
Same goes with outsourcing… how many people do *they* have who know your setup? What if you ever want to change vendors?
IT systems is one of the most important yet undervalued parts of a company.
(disclaimer.. I am a IT guy.. but it doesn’t take a CEO to see what would happen if the mail server was down!)
In other news, the San Francisco DA on 7/25 made public 150 usernames and passwords used to connect to the City’s VPN.
August 27th, 2008 at 2:06 pm
Vicki,
You can send them to Snow Summit Mt Resort in Big Bear Cal.
So it is good to see that most of the IT people out here are just not interested in breaking into data that we are paid to protect.
It’s boring and just not worth our time, and our jobs.