Employers may be giving away the keys to the kingdom – or your corporate security –according to a global “snooping” survey released by security firm Cyber-Ark Software last week. The survey, entitled “Trust, Security and Passwords,” conducted with more than 1,400 IT and C-level professionals in North America and EMEA, indicates that unauthorized access to private information is rampant within companies.
An alarming number of employees in the survey admitted to snooping in private company data, with the IT professionals being the most likely. Among the IT professionals surveyed, 67 per cent admitted to accessing information not relevant to their role and 41 per cent admitted to abusing admin passwords to access sensitive or confidential information.
Unauthorized access to sensitive information can leave a company vulnerable to data leaks, financial and regulatory exposure and reputational damage.
The good news is that compared to the results of last year’s study, fewer IT professionals this year believe that they can get around privileged access controls. It’s debatable how good that news is, however, since this year’s figures reflect that 40 per cent of global IT managers surveyed still believe they can get around controls that monitor privileged access to information.
And while internal breaches remain a high risk, 57 per cent of the C-level respondents in the survey felt that that next one to three years will see external threats, such as cyber-criminals, being a greater security risk than threats from with the organization.
FREE Investigation Report Template
Prepare thorough, consistent investigation reports with our free report template.Download Template
In the press release announcing the study, Adam Bosnian, executive vice president Americas and corporate development, Cyber-Ark Software, said:
“Privileged accounts are the key tool that external attackers and insiders leverage to access and exfiltrate an organization’s sensitive information.
While the survey shows a greater awareness around protecting these targets from attacks from any vector, it’s concerning that nearly one in five of C-level respondents believe that their corporations’ sensitive information may be being used against them in the market. Security teams need to start with improving the protection of these key internal targets – not simply building bigger walls around the enterprise.”
Remove the temptation
“It’s not just IT people, but also HR employees who have access to confidential information in your organization,” says Jason Victor, Director of IT at Customer Expressions, developers of i-Sight case management software. “Putting your data offsite has the added bonus of providing an additional level of segregation from access by organizational IT people. In i-Sight, you can track who has been in different records, you can restrict records to groups within HR and you can mark cases that are confidential that only certain people can see. Because it’s not internal, even your IT people can’t circumvent it.”
“The Common Sense Guide to Prevention and Detection of Insider Threats”, published by Carnegie Mellon’s Software Engineering Institute, recommends 16 practices that organizations should use to prevent, or facilitate early detection of, insider threats, based on hundreds of case studies of malicious insider activity.
- Consider threats from insiders and business partners in enterprise-wide risk assessments.
- Clearly document and consistently enforce policies and controls.
- Institute periodic security awareness training for all employees.
- Monitor and respond to suspicious or disruptive behavior, beginning with the hiring process.
- Anticipate and manage negative workplace issues.
- Track and secure the physical environment.
- Implement strict password and account management policies and practices.
- Enforce separation of duties and least privilege.
- Consider insider threats in the software development life cycle.
- Use extra caution with system administrators and technical or privileged users.
- Implement system change controls.
- Log, monitor, and audit employee online actions.
- Use layered defense against remote attacks.
- Deactivate computer access following termination.
- Implement secure backup and recovery processes.
- Develop an insider incident response plan.
Are you doing all these things in your organization to reduce the chances of your employees making off with your privileged information?