Can you trust your IT workers?

One IT Administrator interviewed for a recent survey into IT security laughed out loud, saying: "Why does it surprise you that so many of us snoop around your files, wouldn’t YOU if you had secret access to anything you can get your hands on?"

As if that weren’t bad enough, Cyber-Ark Software’s annual survey into "Trust, Security and Passwords" revealed that more than one-third of IT professionals admitted they could still access their company’s network after they’d left their job, with no one to stop them.

More than 200 IT professionals participated in the survey with many revealing that although it wasn’t corporate policy to allow IT workers to access systems after termination, more than 25% knew of another IT staff member who still had access to sensitive networks even though they’d long since left the company.

• Still using Post-It notes?

It seems very little changes year on year – more than half of people still keep their passwords on a Post-It note, in spite of all the education and reminders to do differently. Perhaps even more shocking about this year’s survey was that the 50% figure applies to IT professionals as well! More than half of respondents admitted to using Post-It notes to store administrative passwords, the super-powerful codes pre-built into every system such as the administrator ID on your local workstation.

As one IT administrator explained: "Sure, it’s easy for an employee to update the personal password to their laptop, but to change the administrator password on that same machine? It would take days for IT to do them all by hand. In the end, we just pick one password for all the systems and write it down."

And where do they write it? On a Post-It note.

 • Admin passwords rarely change

One-fifth of all organisations admitted they rarely change their administrative passwords, with 7% saying they NEVER change them. This may explain why one-third of all people questioned would still have access to their network even after they’d left the company. Some 8% of IT professionals revealed that the manufacturer's default admin password on critical systems had never been changed, which remains the most common way for hackers to break into corporate networks.

Gary McKinnon, the "most profligate military hacker of all time" for gaining entry to 90 computers at the US Department of Defense, says: "The easiest way to infiltrate a company’s network is to look for administrative passwords which are left blank, still have the manufacturer’s default password or just use obvious names. Once you find these, which are unbelievably simple and common to find, you’re into the system and have the highest level of authority – bingo you’ve got control of the company’s system."

• Insider sabotage on the rise

15% of companies interviewed had experienced insider sabotage, which is not surprising considering that over one-third of IT staff report using administrative passwords to snoop around corporate systems. Even worse, such snooping can turn ugly when IT workers feel disgruntled, aggrieved and especially after they’ve been fired. According to a recent study by Carnegie Mellon University, the most common insider attack is by a disgruntled IT employee using anonymous access from a privileged account.

Calum Macleod, European Director of Cyber-Ark said: "It’s surprising to find out how rife snooping is in the workplace. Gone are the days when you had to break into the filing cabinet in the personnel department to get at vital and highly confidential information. Now all you need to have is the administrative password and you can snoop around most places, and it appears that is EXACTLY what’s happening.

"Companies need to wake up to the fact that if they don’t introduce layers of security, tighten up who has access to vital information, and manage and control privileged passwords, then snooping, sabotage and hacking will continue to be rife!"