Survey: Canned IT Employees Will Steal Your Info

    September 2, 2008
    Chris Crum

Cyber-Ark"Exercise extreme caution when it comes to dismissing employees with knowledge of your IT systems," warns security vendor Cyber-Ark Software.

Your company’s network may not be as secure as you think it is. A recent survey from Cyber-Ark revealed that about 88% of IT administrators said they would take sensitive company information with them if they were to lose their jobs. Only the remaining 12% said they would not.

One of the biggest pieces of information that many of them would take is the "privilege password list," which would of course open up the floodgates to all kinds of sensitive data.

"Most company directors are blissfully unaware of the administrative or privileged passwords that their IT staff has access to which allows them to see everything that is going on within the company. These privileged identities, which lie on hundreds of servers and applications, very rarely get changed as it’s often considered too much hassle. When people leave the organization, they can often still access the network using these passwords to acquire highly sensitive data," saysCyber-Ark. President and CEO Udi Mokady.

The survey results almost come across as a collective blackmail from IT admins, warning employers not to can them. The fact that such a large percentage of those surveyed admit that they would engage in this type of behavior is a little startling.

Cyber-Ark’s advice is to have passwords changed regularly, but when the IT staff are the ones changing the passwords, it’s going to be hard to control. "The study also shows that one-third of IT administrators write down passwords that provide access to critical systems on Post-it notes," says Ars Technica’s Ryan Paul. "In my own experiences working in IT, I’ve learned that forcing users to change their passwords at routine intervals generally encourages that sort of nonsense."

It’s hard to say if the results from this one survey are indicative of an entire industry, but you might want to think long and hard before making any big decisions regarding your IT staff’s employment status.