The IT Department as Corporate Snoop?

coondoggie writes with a link to a NetworkWorld article about the dangers of IT department snoops. A study released today is likely to exacerbate the trend of failing trust in employees; it shows that one in three IT employees poke through systems and prod at confidential information while on the job. The survey was done by a firm specializing in password security, so some salt might be required for this particular article. "The survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job, with no one to stop them. More than 200 IT professionals participated in the survey with many revealing that although it wasn't corporate policy to allow IT workers to access systems after termination, still almost 25% of respondents knew of another IT staff member who still had access to sensitive networks even though they'd left the company long ago."

Only 1/3rd?

[Skyshadow]

1/3rd of IT professionals poke through other employee's files? What are the other 2/3rds up to all day long?

Never hire an IT guy who couldn't pass the BOFH test.

All the more reason....

[Chabo]

All the more reason to put make sure nobody else is snooping on you before you install your backdoor program!

Re:me!

[Anon-Admin]

The company I work for has a firewall is your site is blocked. It tells me "This site belongs to the XXXXXXXXXXXX defined Internet category "Tasteless" which has restrictions."

I guess Ill have to look at it when I get home. :)

Seperation of powers

[tubapro12]

Like in government (cough cough cough), powers should be divided amongst a number of people i.e. hardware admins, web server admins, database admins, 'maintenance admins', et cetera. But for the majority of places this could easily be too many people. Of course, this is pretty impractical too, and I for one know most admins don't like having obstacles; but after all that's the root of the problem at hand.

default passwords

[grassy_knoll]

From TFA:

Eight percent of respondents noted that they still use the manufacturer's default admin password on critical systems.

Some people are blockheads.
News at 11.

Why?

[Hoi+Polloi]

The last thing I want to do after spending 8 hours on my company's network is spend my personal time trying to get back onto my company's network.

Thinkgeek knows it too

[Weaselmancer]

They even sell the T-shirt.

Bad security, even without snooping

[L.+VeGas]

In the mid 90's, I switched employers. My former employer was a fairly large medical / toxicology (drug testing) laboratory, and the records were fully searchable by name, SS#, and so on. Around this time, I got a new PC, and left the old one pretty much untouched for several years. About five years later, I fired it up out of curiosity. The terminal emulator shortcut was still there, so I plugged in the modem and was on the laboratory's network within minutes. Full access.

The company has since been bought out and shut down, but that incident has always bugged me.

Shenanigans!

[laron]

"The survey found that more than one-third of IT professionals admit..."

I find that hard to believe.

Can't be called professional without ethics

[erroneus]

It's just my opinion but I'm sure many will agree with me on that. In every case where a person has privileged access to information as part of their job, there is usually some sort of ethical standard of non-disclosure in place. As an IT manager, I thrust my ethics upon people on a regular basis citing that I do not EVER want to know anything I don't need to know. Usually, it's passwords, but wouldn't that just be the start?

I can't imagine how anyone could consider themselves "professional" without professional standards of behavior to go along with it. Do professionals in all fields get tempted "by the dark side?" Oh yeah... we see it on the news every day.

But at a rate of 33% of IT professionals breeching company trust? That's pretty frightening... it's probably untrue.

This seems to keep coming up lately...

[Yobgod+Ababua]

Your company should have a published policy regarding user privacy and IT, and all members of IT should abide by that policy at all times. (In our case, for files or email, we require the approval of the user themselves or of a department manager and human resources before we go off reading your stuff. We do reserve the right to monitor network traffic at any time, for any reason, but we also make sure your email access runs encrypted over the network...)

In any case, please encourage your local IT Professionals to behave like Professionals. How should they behave, you ask?

Like THIS.

Anyone who doesn't lock the accounts of ex-root-access employees and change the shared passwords that they had access to is lazy and negligent, bordering on criminally negligent. That's just inexcuseable...

Re:old work still accessable

[Compholio]

it's nothing more then me checking on how my creation is going, if i saw a problem i'd probably report it to my old boss with a suggested fix.

I would imagine that a lot of employers have actually made the conscious choice to keep people like you online after "termination". After all, who knows when they may need you to fix your creation?

Re:Wot no exit procedures?

[nine-times]

More than any other reason, this is why your IT team should be well paid and why duties should be segregated.

And also "trustworthiness" really has to be high on your priority list of job-qualifications for IT people. I always tell people, if you can't trust your IT people, you're in trouble.

You might ask why. "Why can't you put security in place that prevents your IT people from accessing the information you don't want them to see?" Well, I'll answer that with another question: who will put that security in place? Inevitably, there will have to be people who put security in place, and whoever that is could leave back-doors for themselves. There will be people who maintain the systems and security, people with powerful logins and passwords, and those people can override your security.

And ultimately, there are accidents. At one company, we can a common spam database for the whole company (years ago). Every piece of spam went into the same place. While looking for false positives in order to see whether the filter needed adjusting, you'd see every e-mail that had a swear word in it. If someone wrote about "f*%king", it was in the spam filter. Every mention of "penis" went in the spam filter. A lot of it was spam, but there was plenty of employee e-mail going around, talking about things they probably didn't want anyone to see.

Also, there were plenty of times where someone invited me to look at their desktop or e-mail in order to help them with something. Like, "hey, can you help me find this e-mail I'm looking for?" I say "yeah," and the e-mail up on the screen is an e-mail about having an affair and an Excel file containing everyone's salaries. It happens!

My point is, even if your IT personnel are honest, they'll probably see sensitive information somehow, even if by accident. Trustworthiness is an important trait. My advice: If you're hiring IT people, it might be good to hire the person you'd feel most comfortable telling all your dirty secrets. If you're just another employee, keep any information on your work computer or pass information through your work systems unless you'd be comfortable with your IT people seeing it. If you must send information from work that you don't want your IT people to see, use a Gmail account, and don't leave your browser open while you're away from your computer.

Telegraph Operators

[Frogbert]

I like to think of myself as a Telegraph Operator. Sure I know peoples secrets, but it would be unprofessional for me to tell them to anyone.

It's a problem

[Phil+Wherry]

In the security business, a lot of the danger from IT employees comes from a class of attack known as "abuse of authority." It's near-impossible to prevent through technical measures, since the people in question need the elevated privileges in order to do their jobs. A careful program of auditing can often detect these abuses after they've occurred, however.

I had a situation occur a few years ago in which I had to fire a trusted and valuable staff member for snooping through a senior manager's email. Another staff member actually detected this when he printed a copy of the email, and it came out of the printer in his home office even though he was on travel. This came to my attention very quickly, and we reviewed audit logs that we'd put in place earlier and found plenty of evidence of his snooping. It pained me to fire the guy--he was smart, ambitious, and held up really well under pressure. But in the end, I concluded that a slap on the wrist would just send the message to other team members that it was OK to cheat until caught for the first time. I suspect that it was the right move for him, too; our sudden, decisive response to his lapse in judgment doubtless made an impression.

So, some advice to IT managers: ensure that there's an audit trail for all privileged activity. You'll detect and stop abuse if it's going in, and will deter staffers from being tempted to misuse their rights.

Phil

Why...?

[Telephone+Sanitizer]

> The survey found that more than one-third of IT professionals
> admit they could still access their company's network once
> they'd left their current job, with no one to stop them.

Does it seem that people are villainizing the IT guys that left?

Shouldn't the criticism be levied upon the IT guys who REMAIN?

And as for snooping, it's not the snooping that bugs me, but the disclosures that sometimes follow. I was really pissed off when my boss started publicly ripping on me for the quality of some code scraps he found in my documents folder.

I didn't mind that he looked -- I don't expect privacy on a corporate computer. But he used what he found in an attempt to humiliate me (which failed since the rest of the department knew that the code was something that I was reviewing from a new intern).