InfoSec Pros Among Worst Offenders of Employer Snooping

IT security professionals often cross the ethical line when it comes to their employer, with 66% of survey respondents admitting that they seek out and access company information that they didn't need to do their work, according to a survey released today.

The global survey, which queried 913 IT security professionals, found 36% of respondents were willing to take it a step further and admitted to hunting down, or accessing, sensitive company performance information that was irrelevant to their work.

And it turns out that IT security executives were the worst offenders of this snooping behavior, compared to the rest of their team, according to the Dimensional Research survey commissioned by One Identity.

When it comes to general snooping of company information that is not sensitive, 71% of IT security executives admitted to this behavior, compared with 56% of IT security workers who did not hold a managerial position, the survey found.

The percentage of IT security executives willing to track down or access sensitive company performance information was a whopping 40%, compared with 17% for IT security team members who were not in a managerial role.

"I had an IT role in the past. There is always a temptation with privileges to explore where they should not explore. But what surprised me was how pervasive it is," says Jackson Shaw, senior director of product management for One Identity.

While the survey did not dig into the specific types of sensitive company performance information that IT executives sought, generally this type of information may fall into the realm of company profits and revenue, he noted. As for non-company performance information, IT security professionals may spend trolling through layoff lists, promotion lists, and employee salaries buried within the bowels of the human resources department, Shaw surmised.

"Most file servers at companies are not heavily locked down, and typically the IT security staff has the most privileges, so it's entirely possible that these people know what the monitoring technology is looking at and know how not to get caught," says Shaw.

He estimates that less than 50% of companies likely track the movements of their IT security teams and IT administrators as they move through the corporate network and other systems.

The survey also found that 92% of IT security professionals say that employees at their companies attempt to access the information they don't need to do their work. Also, 44% of IT security pros working at technology companies admit to searching for sensitive company information, compared to 36% at financial services companies or 21% of healthcare companies.

Guarding the Gatekeepers
Cybersecurity ethics is a topic that some colleges, as well as workshops, address. But often the topic of ethics may center on what an IT security professional should do when tracking down and dealing with hackers and cybercriminals.

However, cybersecurity professionals should be held to a higher standard when it comes to their own behavior, says Jane LeClair, president and CEO of the Washington Center for Cybersecurity Research and Development and former dean of the school of business and technology at Excelsior College in Albany, NY.

"As with any profession where sensitive information is available — medical, military, finances, etc. — those who are involved with the care and security of that information should be held to a higher standard," LeClair says. "With the use of powerful computers, those in the IT arena have been entrusted with not only the ability to access that sensitive data but to safeguard it as well. Part of that responsibility is the intrinsic control to restrain oneself from 'snooping into material that is beyond the scope of one's normal area of activity."

People tend to snoop out of natural curiosity and because their personal sense of accountability has not been adequately developed, LeClair explains.

Personal responsibility stems from a childhood where trust and integrity are ingrained at an early age and then continues through the maturing process that leads to adulthood, she adds, noting that people placed in positions of responsibility before they have "matured" and have developed appropriate life "filters" tend to have errors in judgment.

As for IT security executives who troll through their employer's data and information that is not tied to their work, LeClair points to an 19th century adage attributed to Lord Acton that power tends to corrupt and absolute power corrupts absolutely.

"Computers are, for now anyway, the ultimate instruments of information and power…. Knowledge is power," she says. "Executives and people in positions of responsibility seek control of their situations and those that might influence their status. Acquiring knowledge beyond what is personally needed to perform an assigned job or responsibility provides data and insights that can be filed away for future use and self-promotion. The more power and information you attain, the greater your position and the more power and information you seek to maintain your status."

Can Ethics be Trained?
While it may be human nature to snoop, the filters an individual places on their behavior can be a learned experience, LeClair says.

"Much of that comes from the upbringing you experience from childhood and carries on through schooling and into adulthood. Sadly, in seemingly increasing numbers, people are missing out on developing those filters of personal accountability and trust," she observes.

In the past, emphasis on attaining computer skills has focused on the nuts and bolts of acquiring those skills and less on "how" those learned skills should be applied, LeClair says.

With the current shortfall of skilled IT professionals, there has been a rush to fill the pipeline with individuals to fill those vacant seats, and in many cases, it seems the rush has increasingly cut short the emphasis on ethics, she adds.

"Wherever training or education is provided, from high schools to colleges, training centers to the workplace, ethics must take a prominent place in the curriculum," says LeClair. "In many cases, the ethics training that is received today by our cybersecurity students does not provide cases on these types of situations that would present themselves to the cyber professional."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.