Insider snooping on the rise

More than a third of IT staff admit to breaching corporate security and accessing critical data, says research

Survey says 74 per cent of IT admin staff can 'circumvent' network security

More than third (35 per cent) of IT staff have used their administration rights to breach data security, giving them access to critical corporate information without authorisation, according to research.

The study by Cyber Ark also suggests that nearly three-quarters of the 400 senior UK and US IT professionals polled said they could breach the security controls in place to protect against corporate information theft.

Asked what information they would take with them if made redundant, the three most popular responses were the customer database, the email server administrator account, and the firm's merger and acquisition (M&A) plans – all chosen by 47 per cent of those polled.

Next in line for potential theft were research and development (R&D) plans (46 per cent), the chief executive's password (46 per cent), financial reports (46 per cent) and the privileged password list (42 per cent). The corresponding figures for last year showed that the average increase in IT staff willing to take critical business data if made redundant was 28 per cent.

The survey suggests that firms need to fully monitor privileged account access, but 71 per cent of respondents indicated that privileged accounts were only partially monitored, and despite these controls, 74 per cent of those polled revealed that it did not stop them snooping around.

The significant failure of snooping controls was highlighted by the 35 per cent of IT administrators who admitted they were using high-level rights to access confidential or sensitive information. The most common areas targeted for snooping were HR records, followed by customer databases, M&A plans, redundancy lists, and marketing information.

"Unauthorised access to information such as customer credit card data, private personnel information, internal financial reports and R&D plans leaves a company vulnerable to a severe data leak with the risk of financial or regulatory exposure and damage to its brand, or competitors obtaining critically important competitive information,” said Udi Mokady, chief executive of Cyber-Ark.