In-Depth

Disgruntled Employees Pose Large Inside Threat

A new survey finds that nearly 9 out of 10 IT employees say they'd steal privileged or confidential information if they knew they were going to be laid-off tomorrow.

• By Stephen Swoyer
• 09/09/2008

Forget, for a moment, the danger posed by determined external attackers: a danger that was underscored by two recent breaches at Bank of New York Mellon and Best Western. Many security pros warn that internal attackers pose a much greater danger than do their external counterparts, thanks both to their physical proximity to sensitive information systems and to their ability to access -- often by abusing positions of trust -- the data residing on those systems. At least one security specialist takes that logic still further. Internal attackers are dangerous, argue officials from security specialist Cyber-Ark Software Ltd., but disgruntled internal attackers could pose the greatest danger of all.

Consider the results of Cyber Ark's recent "Trust, Security, and Passwords" survey, which explored the information security practices -- and moral flexibility -- of about 300 IT pros. Its findings are sobering, to say the least.

For example, an overwhelming majority of IT security pros say they would take -- read: steal -- "valuable or sensitive" data if they were laid off tomorrow.

Survey respondents cited a number of items they'd be eager to steal -- including customer databases, R&D plans, financial reports, M&A proposals, and (assuming they were able to get them) "privileged" passwords.

"Most company directors are blissfully unaware of the administrative or privileged passwords that their IT staff has access to, which allows them to see everything that is going on within the company," said Cyber-Ark president and CEO Udi Mokady, in a statement. "These privileged identities, which lie on hundreds of servers and applications, very rarely get changed as it's often considered too much [of a] hassle. When people leave the organization, they can often still access [IT resources] using these passwords to acquire highly sensitive data."

Cyber-Ark has a particular interest in the results. By pointing out the dangers posed by rogue or "devious" IT security professionals -- particularly those who would steal critical passwords -- the company can make a better case for password "vaulting" technology (such as its LDAP-compliant Enterprise Password Vault).

Even so, Mokady offers some good recommendations. "Our advice is to secure these privileged passwords and identities, and routinely change and manage them so that if an employee's contract is terminated, whether voluntarily or not, they can't maliciously wreak havoc inside the network or vindictively steal data for competitive or financial gain," he urges.

In addition to its most provocative claims, the Cyber-Ark survey highlights several eyebrow-raising -- if slightly less egregious -- security practices.

For example, a significant minority of IT admins don't observe common security best practices -- particularly with respect to secure information exchange. As a result, Cyber-Ark claims, nearly two-fifths (35 percent) of IT admins admitted having sent "sensitive" or "highly-confidential" information via e-mail. More troubling still is that many IT pros still use sticky notes to keep track of important passwords. According to Cyber-Ark, one-third of IT admins confessed to having scrawled passwords on Post-Its.

The survey also found that IT pros are habitual snoops: one-third of IT staff members acknowledged having trawled enterprise networks to dredge up confidential information -- such as salary details, M&A proposals, or even personal e-mails.

"You can install the best security systems in the world, but if your staff does not respect the information they are entrusted with, then the information will most definitely go astray," Mokady concludes.