Slashdot Mirror

← Back to Stories (view on slashdot.org)

The IT Department as Corporate Snoop?

Posted by Zonk on from the like-penny-in-inspector-gadget dept.

coondoggie writes with a link to a NetworkWorld article about the dangers of IT department snoops. A study released today is likely to exacerbate the trend of failing trust in employees; it shows that one in three IT employees poke through systems and prod at confidential information while on the job. The survey was done by a firm specializing in password security, so some salt might be required for this particular article. "The survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job, with no one to stop them. More than 200 IT professionals participated in the survey with many revealing that although it wasn't corporate policy to allow IT workers to access systems after termination, still almost 25% of respondents knew of another IT staff member who still had access to sensitive networks even though they'd left the company long ago."

7 of 116 comments (clear)

  1. default passwords by grassy_knoll · · Score: 4, Funny
    From TFA:

    Eight percent of respondents noted that they still use the manufacturer's default admin password on critical systems.


    Some people are blockheads.
    News at 11.
    --
    A Human Right
  2. Thinkgeek knows it too by Weaselmancer · · Score: 4, Funny

    They even sell the T-shirt.

    --
    Weaselmancer
    rediculous.
  3. Bad security, even without snooping by L.+VeGas · · Score: 4, Interesting

    In the mid 90's, I switched employers. My former employer was a fairly large medical / toxicology (drug testing) laboratory, and the records were fully searchable by name, SS#, and so on. Around this time, I got a new PC, and left the old one pretty much untouched for several years. About five years later, I fired it up out of curiosity. The terminal emulator shortcut was still there, so I plugged in the modem and was on the laboratory's network within minutes. Full access.

    The company has since been bought out and shut down, but that incident has always bugged me.

    --
    Best Windows Freeware
  4. Can't be called professional without ethics by erroneus · · Score: 4, Interesting

    It's just my opinion but I'm sure many will agree with me on that. In every case where a person has privileged access to information as part of their job, there is usually some sort of ethical standard of non-disclosure in place. As an IT manager, I thrust my ethics upon people on a regular basis citing that I do not EVER want to know anything I don't need to know. Usually, it's passwords, but wouldn't that just be the start?

    I can't imagine how anyone could consider themselves "professional" without professional standards of behavior to go along with it. Do professionals in all fields get tempted "by the dark side?" Oh yeah... we see it on the news every day.

    But at a rate of 33% of IT professionals breeching company trust? That's pretty frightening... it's probably untrue.

  5. Re:Wot no exit procedures? by nine-times · · Score: 5, Informative

    More than any other reason, this is why your IT team should be well paid and why duties should be segregated.

    And also "trustworthiness" really has to be high on your priority list of job-qualifications for IT people. I always tell people, if you can't trust your IT people, you're in trouble.

    You might ask why. "Why can't you put security in place that prevents your IT people from accessing the information you don't want them to see?" Well, I'll answer that with another question: who will put that security in place? Inevitably, there will have to be people who put security in place, and whoever that is could leave back-doors for themselves. There will be people who maintain the systems and security, people with powerful logins and passwords, and those people can override your security.

    And ultimately, there are accidents. At one company, we can a common spam database for the whole company (years ago). Every piece of spam went into the same place. While looking for false positives in order to see whether the filter needed adjusting, you'd see every e-mail that had a swear word in it. If someone wrote about "f*%king", it was in the spam filter. Every mention of "penis" went in the spam filter. A lot of it was spam, but there was plenty of employee e-mail going around, talking about things they probably didn't want anyone to see.

    Also, there were plenty of times where someone invited me to look at their desktop or e-mail in order to help them with something. Like, "hey, can you help me find this e-mail I'm looking for?" I say "yeah," and the e-mail up on the screen is an e-mail about having an affair and an Excel file containing everyone's salaries. It happens!

    My point is, even if your IT personnel are honest, they'll probably see sensitive information somehow, even if by accident. Trustworthiness is an important trait. My advice: If you're hiring IT people, it might be good to hire the person you'd feel most comfortable telling all your dirty secrets. If you're just another employee, keep any information on your work computer or pass information through your work systems unless you'd be comfortable with your IT people seeing it. If you must send information from work that you don't want your IT people to see, use a Gmail account, and don't leave your browser open while you're away from your computer.

  6. Telegraph Operators by Frogbert · · Score: 4, Insightful

    I like to think of myself as a Telegraph Operator. Sure I know peoples secrets, but it would be unprofessional for me to tell them to anyone.

  7. It's a problem by Phil+Wherry · · Score: 4, Interesting

    In the security business, a lot of the danger from IT employees comes from a class of attack known as "abuse of authority." It's near-impossible to prevent through technical measures, since the people in question need the elevated privileges in order to do their jobs. A careful program of auditing can often detect these abuses after they've occurred, however.

    I had a situation occur a few years ago in which I had to fire a trusted and valuable staff member for snooping through a senior manager's email. Another staff member actually detected this when he printed a copy of the email, and it came out of the printer in his home office even though he was on travel. This came to my attention very quickly, and we reviewed audit logs that we'd put in place earlier and found plenty of evidence of his snooping. It pained me to fire the guy--he was smart, ambitious, and held up really well under pressure. But in the end, I concluded that a slap on the wrist would just send the message to other team members that it was OK to cheat until caught for the first time. I suspect that it was the right move for him, too; our sudden, decisive response to his lapse in judgment doubtless made an impression.

    So, some advice to IT managers: ensure that there's an audit trail for all privileged activity. You'll detect and stop abuse if it's going in, and will deter staffers from being tempted to misuse their rights.

    Phil