The parlous state of internal IT security was highlighted yesterday with the publication of a survey that revealed that one in three tech workers admits to using special privileges to peek at colleagues’ confidential data.

The survey was carried out by Cyber-Ark Software and is based on interviews with 200 IT professionals at last month’s Infosecurity expo in London. The fact that delegates at a security conference were happy to admit to snooping on co-workers private files, wage data, personal emails and HR background is in itself worth noting. Indeed, one IT administrator apparently laughed out loud as he answered the survey, saying: “Why does it surprise you that so many of us snoop around your files, wouldn’t you if you had secret access to anything you can get your hands on!”

As if that wasn’t bad enough, the survey found that more than one-third of IT professionals admit they could still access their company’s network once they’d left their current job. Another finding was that more than half of respondents admitted to using Post-It notes to store administrative passwords.

One-fifth of all organisations admitted that they rarely changed their administrative passwords with 7% saying they never change administrative passwords. This may explain why one-third of all people questioned would still have access to their network even if they’d left the company. 8% of IT professionals revealed that the manufacturers’ default admin password on critical systems had never been changed.

The survey also showed that the majority of companies mismanage the storage of administrative passwords by keeping them in unsecured locations and hence not controlling access to these critical codes. 57% of companies store their administrative passwords manually, 18% store them in Excel spreadsheets (which are notoriously insecure and easy to access), and 82% of IT professionals store them in their heads -- hindering security efforts and business continuity.

Unsurprisingly, given the report’s other findings, 15% of companies interviewed had experienced insider sabotage. Calum Macleod, European director for Cyber-Ark said: “Companies need to wake up to the fact that if they don’t introduce layers of security, tighten up who has access to vital information, and manage and control privileged passwords, then snooping, sabotage and hacking will continue to be rife.”

There are some caveats here. The number of interviewees was fairly small and Cyber-Ark does specialise in digital vaulting solutions for securing administrative passwords. For instance, its Enterprise Password Vault solution creates a central point for storing, accessing, and maintaining administrative passwords used to access OS/400, amongst other operating systems. But it is hard to dismiss the survey’s findings from a System i point of view when one considers another survey carried out by PowerTech earlier this year.

This survey of about 180 System i sites, including 26 in the UK, found that 76% of systems don’t control or audit changes to data made through PC access applications like Excel and Access creating uncontrolled network access. 10% of all users have privileged access (root level access) authority. Confidential reports can be viewed by 20% of all users and 50% of all systems have over 20 users with default passwords (password = user name) that can be easily determined by any attacker.

Seamus Quinn