To a hammer, everything looks like a nail. And to an information security company, everyone looks like a thief.
In its third annual survey of IT professionals, Newton, Mass.-based security information company Cyber-Ark has found that more than a third of IT personnel have used their IT admin powers to access sensitive corporate information without authorization.
The 400-person survey also found that almost three out of four respondents acknowledged being able to circumvent information access controls at their workplace. This isn't entirely surprising given that these same IT admins probably had a hand in setting up or maintaining these controls.
And really, there's something breathless about such findings. A similar percentage of respondents would probably acknowledge being able to stab co-workers with a pen. But being able to do so isn't the same as possessing an interest in doing so or exercising that ability.
According to Cyber-Ark, the recent economic decline has coincided with an increase in the number of respondents who say that they would take corporate data with them if they were fired. When respondents were asked "What would you take with you," six times as many (47%) as in 2008 said they would take financial reports or merger and acquisition plans, and four times as many (46%) as in 2008 said they'd take CEO passwords and R&D plans.
It may be however that a survey question of this sort amounts to push-polling -- asking a question to elicit a particular response. Asking "What would you take with you" presumes a willingness to steal that may not exist and makes the act of stealing seem like an expectation.
Certainly, there's a risk from insiders, particularly among those who've been fired. The survey notes that 1 in 5 companies acknowledged being affected by insider sabotage or IT security fraud. The risk is real. But there's risk, too, in believing your IT staff is out to get you.
InformationWeek Analytics has published an independent analysis on what executives really think about security. Download the report here (registration required).
