Will Exiting Employees Steal Data?

Sep 2, 2008 3:16 PM

Companies should exercise extreme caution when it comes to dismissing employees with knowledge of a business’s IT systems, according to a new survey released by a company specializing in identity management.

Cyber-Ark Software’s annual survey “Trust, Security & Passwords" focuses on 300 IT security professionals and reveals that 88 percent of IT administrators, if laid off tomorrow, would take valuable and sensitive company information with them. The target information includes the CEO's passwords, the customer database, R&D plans, financial reports, M&A plans and, most importantly, the company's list of privileged passwords. Only 12 percent reveal that they would plan to leave empty-handed.

The privileged password list, in particular, provides the keys to unlock access to every piece of information on the network. Of the 88 percent who say they would take valuable information with them, one third would steal the privilege password list. The passwords protect sensitive and valuable documents and information such as financial reports, accounts, and HR records.

"Most company directors are blissfully unaware of the administrative or privileged passwords that their IT staff has access to which allows them to see everything that is going on within the company. These privileged identities, which lie on hundreds of servers and applications, very rarely get changed as it's often considered too much hassle. When people leave the organization, they can often still access the network using these passwords to acquire highly sensitive data" says Udi Mokady, president and CEO of Cyber-Ark. "Our advice is to secure these privileged passwords and identities, and routinely change and manage them so that if an employee's contract is terminated, whether voluntary or not, they can't maliciously wreak havoc inside the network or vindictively steal data for competitive or financial gain."

Interestingly, one third of companies reveal that they believe industrial espionage and data leakage are rife, with data being leaked out of their companies and going to their competitors or criminals, usually via powerful high-gigabyte mobile devices such as USB sticks, iPods, Blackberrys and laptops -- or sent over e-mail. A quarter of companies also admit to suffering from internal sabotage and/or cases of IT security fraud happening in their workplace -- which shows just how prevalent IT security breaches are within most companies.

The survey shows that IT security is a genuine problem for most companies, and additionally, that those responsible for securing the systems are often sloppy when it comes to basic "good housekeeping." According to the survey IT administrators who are often responsible for security don't exchange or send information securely, with 35 percent choosing to send sensitive or highly confidential information via e-mail. Furthermore, 35 percent of those surveyed use couriers to transport sensitive data -- a system only marginally safe when the information is backed up and encrypted. Astonishingly, 4 percent of the sample size actually uses the postal system to send sensitive information.

In spite of the billions that are currently spent on security systems to make them safe and secure, it is hard to instill good working practices even among the very people who are responsible for setting IT security standards in their own companies. One third of IT administrators surveyed admit to having written down privileged passwords on a Post-It note.

The survey also finds that a third of IT staff admit to snooping around the network, looking at highly confidential information, such as salary details, M&A plans, personal e-mails, board meeting minutes and other information that they were not privy to. They do this by using their privileged rights and administrative passwords to access information that is confidential or sensitive.

"You can install the best security systems in the world, but if your staff does not respect the information they are entrusted with, then the information will most definitely go astray -- just as the findings of this survey have illustrated," Mokady says. "That's why we recommend companies secure their privileged identities and sensitive information in a digital vault, only giving individuals access to the information they actually need, when they need it while also keeping a log of who has accessed what and when."

Want to use this article? Click here for options!
© 2009 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue