88% of IT workers would steal data if fired

[absolute55]

A study conducted by security company Cyber-Ark indicates that a significant number of corporate IT personnel snoop sensitive data, and nearly 9 out of 10 would take company secrets and remote access credentials with them if they were fired. This could pose a serious security risk for many companies and expose them to industrial espionage and other dangers.

The results of the Trust, Security and Passwords study are based on a survey of 300 system administrators at the Infosecurity 2008 event in Europe. Of the study respondents, 88 percent admitted they would take sensitive data with them when leaving their current place of employment, and approximately one-third said that they would abscond with company password lists. That could be a serious cause for concern for companies that have complex and loosely secured technological infrastructure.

Cyber-Ark claims that one-third of companies participating in the survey experience data breaches and theft on a regular basis. Information is leaked to competitors through a multitude of vectors, including e-mail, portable devices, and USB thumb drives. More than a quarter are also the victims of internal sabotage.

Many readers are undoubtedly familiar with Simon Travaglia's ******* Operator From Hell (BOFH), the fictional confessions of a disgruntled system administrator who uses his technological expertise to manipulate his employer, destroy his enemies, and torture users on the company network. If Cyber-Ark's study reflects reality, then the insidious machinations of the BOFH might not be so far-fetched.

Can anything be done to stop the sky from falling? Cyber-Ark says that routinely changing company passwords will reduce the risk of damage if an employee with high-level access is fired.

"Most company directors are blissfully unaware of the administrative or privileged passwords that their IT staff has access to which allows them to see everything that is going on within the company," said Cyber-Ark CEO Udi Mokady in a statement. "Our advice is to secure these privileged passwords and identities, and routinely change and manage them so that if an employee's contract is terminated, whether voluntary or not, they can't maliciously wreak havoc inside the network or vindictively steal data for competitive or financial gain."

This isn't a foolproof solution, however. The study also shows that one-third of IT administrators write down passwords that provide access to critical systems on Post-it notes. In my own experiences working in IT, I've learned that forcing users to change their passwords at routine intervals generally encourages that sort of nonsense.

While it's worth noting that most studies published by commercial vendors are ultimately intended to drive sales of their products, the Cyber-Ark study highlights an important issue that CTOs and IT managers should think about when cutting IT staff loose.

And We Wondered Why the Server Was Down Today

[shilpa]

Hey this is nice piece of information
Thanks for syharing this with all of us! I was facing network down problem & now i understood some more in this part!

[need Tos]

You can't trust your IT admin -- or at least that's the story being pushed by a security firm that released the eye-catching study results saying that 88% of IT admins surveyed would take "sensitive company" info such as passwords, if they were fired. We've all heard stories about disgruntled tech workers, so perhaps some part of this feels true, but that 88% number just seems way too high. The security company obviously has every reason to push a high number, as it's goal is to sell solutions that help deal with this supposed "problem." And, of course, it fails to release the actual details of the survey, such as how the questions were worded. While I'm sure there are some IT admins who would do so, it seems highly suspect to claim that almost 90% of IT admins would act in such a manner