News

Insider Snooping Still Serious Security Issue, Survey Finds

Last year's Cyber-Ark "Trust, Security & Passwords" survey revealed that one-third of IT staff used their IT administration rights to access privileged or confidential data, including human resources records, layoff lists, merger and acquisition plans, and customer databases. Behavior hasn't changed much according to results from this year's survey.

"Despite a sharp rise in data breaches and increased media awareness on the subject, the third annual Cyber-Ark survey reveals that 35 percent of IT workers now admit to accessing corporate information without authorization, while 74 percent of respondents stated that they could circumvent the controls currently in place to prevent access to internal information," according to Cyber-Ark.

The global survey polled over 400 senior IT professionals in the United States and the United Kingdom, primarily enterprise-class companies.

The survey reveals what type of information (and how much of that data) employees are interested in taking if they are fired. This year's survey reports "a sharp increase in the number of respondents who say they would take proprietary data and information that is critical to maintaining competitive advantage and corporate security."

For security managers, an ever more alarming result is the six-fold increase in staff "who said they would take financial reports or merger and acquisition plans." Staff who would take CEO passwords and research and development plans also climbed, increasing four-fold since last year.

Here's what employees would most likely steal:

Type of Information

 2009 

 2008 

Customer Database

 47% 

 35% 

E-mail Server Admin Account

 47% 

 13% 

M&A Plans

 47% 

 7% 

Copy of R&D Plans

 46% 

 13% 

CEO's Password

 46% 

 11% 

Financial Reports

 46% 

 11% 

Privileged Password List  

 42% 

 31% 

Also worrisome: one company in five admits having experienced "cases of insider sabotage or IT security fraud." Of those, "36 percent suspect that their competitors have received their company's highly sensitive information or intellectual property."

Organizations know about the problem. Seventy-one percent of respondents indicated that privileged accounts are monitored somewhat; of these, 91 percent of those being monitored accept their employer's monitoring activities.

Despite such understanding, nearly three-quarters of respondents (74 percent) say that they could still circumvent such monitoring. Further highlighting the ineffectiveness of an enterprise's controls and access policies, more than a third (35 percent) of IT administrators confessed to using their administration rights to look at confidential or sensitive information. They most often access "HR records, followed by customer databases, M&A plans, layoff lists and, lastly, marketing information."

"This survey shows that while most employees claim that access to privileged accounts is currently monitored and an overwhelming majority support additional monitoring practices, employee snooping on sensitive information continues unabated. Unauthorized access to information such as customer credit card data, private personnel information, internal financial reports and R&D plans leaves a company vulnerable to a severe data leak with the risk of financial or regulatory exposure and damage to its brand, or competitors obtaining critically important competitive information," said Udi Mokady, CEO of Cyber-Ark, in a prepared statement.

The full survey can be downloaded in PDF form here; registration is required for access.

About the Author

Jim Powell is president and CEO of Daisytek International Corporation. He can be contacted at 972-881-4700 or [email protected].

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.