IT Jobs
IT admins read private email, says report
Nothing is secret.
By Manek Dubash | Techworld
Published: 14:42 GMT, 29 May 07
IT staff routinely snoop on users, riffling through their emails and personal files, a newly released survey has found.
One IT administrator laughingly said: "Why does it surprise you that so many of us snoop around your files, wouldn’t you, if you had secret access to anything you can get your hands on?"
Few ordinary users realise that one in three of their IT work colleagues are snooping through company systems, peeking at confidential information such as your private files, wage data, personal emails, and HR background, using admin privileges.
These are the findings of a survey released today by digital vaulting specialist Cyber-Ark Software, which carried out the research at last month’s Infosecurity Exhibition as part of its annual survey into "Trust, Security and Passwords".
What's more, the survey found that more than one-third of IT professionals admit they could still access their company’s network once they’d left their current job, with no one to stop them.
More than 200 IT professionals participated in the survey with many revealing that although it wasn’t corporate policy to allow IT workers to access systems after termination, over one-quarter of respondents knew of another IT staff member who still had access to sensitive networks even though they’d left the company long ago.
Post-It Notes and passwords
More than half of people still keep their passwords on a Post-It note, in spite of all the education and reminders from the IT security industry to do it differently. Even IT pros do it too: over half of respondents admitted to using Post-It notes to store passwords to administrator accounts.
One IT administrator said: "Sure, it’s easy for an employee to update the personal password to their laptop, but to change the administrator password on that same machine? It would take days for IT to do them all by hand. In the end, we just pick one password for all the systems and write it down."
Administrative passwords
One-fifth of all organisations admitted that they rarely changed their administrative passwords with seven per cent saying they never change administrative passwords. This may explain why one-third of all people questioned would still have access to their network even if they’d left the company. Eight per cent of IT professionals said that the manufacturer's default admin password on critical systems had never been changed. This remains the most common way for hackers to break into corporate networks.
Gary McKinnon, dubbed "the most profligate military hacker of all time" for gaining entry to 90 US military computer systems computers by scanning for blank administrator accounts, said: "The easiest way to infiltrate a company’s network is to look for administrative passwords which are left blank, still have the manufacturer's default password or just use obvious names. Once you find these, which are unbelievably simple and common to find, you’re into the system and have the highest level of authority -- bingo you’ve got control of the company’s system."
Password storage
The survey also showed that most companies mismanage the storage of administrative passwords by keeping them in unsecured locations and not controlling access to these critical codes. Just over half (57 per cent) of companies store their administrative passwords manually, 18 per cent store them in an Excel spreadsheet, and 82 per cent of IT professionals store them in their heads - hindering security efforts, business continuity, as well as the auditing, controlling and managing of passwords. In the event that the keeper of these critical administrative passwords is unavailable or loses the location of the passwords, it can cause massive disruption and hours of lost productivity.
Insider sabotage
Fifteen per cent of companies interviewed had experienced insider sabotage. According to a recent study by Carnegie Mellon University, the most common insider attack is by a disgruntled IT employee using anonymous access from a privileged account.
Calum Macleod, European Director for Cyber-Ark, said: "It’s surprising to find out how rife snooping is in the workplace. Gone are the days when you had to break into the filing cabinet in the personnel department to get at vital and highly confidential information. Now all you need to have is the administrative password and you can snoop around most places, and it appears that is exactly what’s happening.
"Companies need to wake up to the fact that if they don’t introduce layers of security, tighten up who has access to vital information, and manage and control privileged passwords, then snooping, sabotage and hacking will continue to be rife."
The moral of the story is that if you don't want anyone from the besuited senior IT director to the newest IT admin poking about in your personal data, don't bring it to work...
Add your commentComments
b. | Published: 20:22 GMT, 18 June 2007
hey, anyone know if IT can look at your personal-email sent from an Internet email address...like Yahoo...whilst using personal-email at work?
Atti | Published: 21:31 GMT, 31 May 2007
Regarding Ctrl-Alt-Del and locking your computer: it does not stop your IT staff from taking a look on what have on your computer. They can log in with an administrative account, or, even worse, they can take a look even remotely if they have an adminstrator account on your workstation (which they probably have). Just try with a windows computer on which you have an account with admin rights. Do you know about those funny C$, D$, etc shares on windows? ;)
LB | Published: 06:42 GMT, 31 May 2007
I was harrassed by my personnel manager because I knew that they were moving money into things that were not in the best public interest. They sent out false emails from my terminal, which I had switched off in the office, but who can you turn to if you think all your emails are read?
Stone | Published: 17:52 GMT, 30 May 2007
Thanks, Ed. I stand corrected. Another possible option: No personal e-mail access at the office.
Ed | Published: 16:27 GMT, 30 May 2007
Sorry Stone but control-alt-delete doesn't log you off. It just locks your computer. It also will not keep admin's from viewing your emails because they are reading them off the exchange server not your computer. Best practice is what the author stated at the end "if you don't want an admin poking about in your personal data, don't bring it to work...'
Stone | Published: 12:38 GMT, 30 May 2007
Keep It Simple Stupid comes to mind. I, wholeheartedly, agree with Earle's statement. By the way, company e-mail is not protected by the same laws that protect your personal e-mail. For best practices, ALWAYS log off your desktop/laptop (i.e., control - alt - delete) any time you are away from your node.
Mark | Published: 12:05 GMT, 30 May 2007
Anything that can be abused probably will be. I don't know how anyone can be surprised by this article.
Bob | Published: 20:58 GMT, 29 May 2007
The down-side risk is immense - IT is not trained to evaluate the legality of email, and viewing may be a violation of privacy rights if management has not pre-approved it for a specific reason.
S.M. | Published: 18:02 GMT, 29 May 2007
There should be specifically designated staff who audit things. IT staff should not take it upon themselves to arbitrarily "check through e-mails once in a while." There needs to be a reason for this being done. You also better make sure that your users know that their data and use are subject to monitor because otherwise they have a right to assume privacy.
James | Published: 17:12 GMT, 29 May 2007
Its good practice for IT technical staff/admins to check through e-mails once in a while. If its not work related it should not be on the work systems.