Attacks/Breaches

10/17/2017
10:40 AM
50%
50%

InfoSec Pros Among Worst Offenders of Employer Snooping

A majority of IT security professionals admit to trolling through company information unrelated to their work -- even sensitive material.

IT security professionals often cross the ethical line when it comes to their employer, with 66% of survey respondents admitting that they seek out and access company information that they didn't need to do their work, according to a survey released today.

The global survey, which queried 913 IT security professionals, found 36% of respondents were willing to take it a step further and admitted to hunting down, or accessing, sensitive company performance information that was irrelevant to their work.

And it turns out that IT security executives were the worst offenders of this snooping behavior, compared to the rest of their team, according to the Dimensional Research survey commissioned by One Identity.

When it comes to general snooping of company information that is not sensitive, 71% of IT security executives admitted to this behavior, compared with 56% of IT security workers who did not hold a managerial position, the survey found.

The percentage of IT security executives willing to track down or access sensitive company performance information was a whopping 40%, compared with 17% for IT security team members who were not in a managerial role.

"I had an IT role in the past. There is always a temptation with privileges to explore where they should not explore. But what surprised me was how pervasive it is," says Jackson Shaw, senior director of product management for One Identity.

While the survey did not dig into the specific types of sensitive company performance information that IT executives sought, generally this type of information may fall into the realm of company profits and revenue, he noted. As for non-company performance information, IT security professionals may spend trolling through layoff lists, promotion lists, and employee salaries buried within the bowels of the human resources department, Shaw surmised.

"Most file servers at companies are not heavily locked down, and typically the IT security staff has the most privileges, so it's entirely possible that these people know what the monitoring technology is looking at and know how not to get caught," says Shaw.

He estimates that less than 50% of companies likely track the movements of their IT security teams and IT administrators as they move through the corporate network and other systems.

The survey also found that 92% of IT security professionals say that employees at their companies attempt to access the information they don't need to do their work. Also, 44% of IT security pros working at technology companies admit to searching for sensitive company information, compared to 36% at financial services companies or 21% of healthcare companies.

Guarding the Gatekeepers
Cybersecurity ethics is a topic that some colleges, as well as workshops, address. But often the topic of ethics may center on what an IT security professional should do when tracking down and dealing with hackers and cybercriminals.

However, cybersecurity professionals should be held to a higher standard when it comes to their own behavior, says Jane LeClair, president and CEO of the Washington Center for Cybersecurity Research and Development and former dean of the school of business and technology at Excelsior College in Albany, NY.

"As with any profession where sensitive information is available — medical, military, finances, etc. — those who are involved with the care and security of that information should be held to a higher standard," LeClair says. "With the use of powerful computers, those in the IT arena have been entrusted with not only the ability to access that sensitive data but to safeguard it as well. Part of that responsibility is the intrinsic control to restrain oneself from 'snooping into material that is beyond the scope of one's normal area of activity."

People tend to snoop out of natural curiosity and because their personal sense of accountability has not been adequately developed, LeClair explains.

Personal responsibility stems from a childhood where trust and integrity are ingrained at an early age and then continues through the maturing process that leads to adulthood, she adds, noting that people placed in positions of responsibility before they have "matured" and have developed appropriate life "filters" tend to have errors in judgment.

As for IT security executives who troll through their employer's data and information that is not tied to their work, LeClair points to an 19th century adage attributed to Lord Acton that power tends to corrupt and absolute power corrupts absolutely.

"Computers are, for now anyway, the ultimate instruments of information and power…. Knowledge is power," she says. "Executives and people in positions of responsibility seek control of their situations and those that might influence their status. Acquiring knowledge beyond what is personally needed to perform an assigned job or responsibility provides data and insights that can be filed away for future use and self-promotion. The more power and information you attain, the greater your position and the more power and information you seek to maintain your status."

Can Ethics be Trained?
While it may be human nature to snoop, the filters an individual places on their behavior can be a learned experience, LeClair says.

"Much of that comes from the upbringing you experience from childhood and carries on through schooling and into adulthood. Sadly, in seemingly increasing numbers, people are missing out on developing those filters of personal accountability and trust," she observes.

In the past, emphasis on attaining computer skills has focused on the nuts and bolts of acquiring those skills and less on "how" those learned skills should be applied, LeClair says.

With the current shortfall of skilled IT professionals, there has been a rush to fill the pipeline with individuals to fill those vacant seats, and in many cases, it seems the rush has increasingly cut short the emphasis on ethics, she adds.

"Wherever training or education is provided, from high schools to colleges, training centers to the workplace, ethics must take a prominent place in the curriculum," says LeClair. "In many cases, the ethics training that is received today by our cybersecurity students does not provide cases on these types of situations that would present themselves to the cyber professional."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/19/2017 | 8:36:04 AM
Security Pro?
Hardly IF you browse your company's data JUST to find out interesting stuff.  Doing so with a purpose - to see if walls can be breached - is entirely different.  
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.