Attacks/Breaches

10/17/2017
10:40 AM
50%
50%

InfoSec Pros Among Worst Offenders of Employer Snooping

A majority of IT security professionals admit to trolling through company information unrelated to their work -- even sensitive material.

IT security professionals often cross the ethical line when it comes to their employer, with 66% of survey respondents admitting that they seek out and access company information that they didn't need to do their work, according to a survey released today.

The global survey, which queried 913 IT security professionals, found 36% of respondents were willing to take it a step further and admitted to hunting down, or accessing, sensitive company performance information that was irrelevant to their work.

And it turns out that IT security executives were the worst offenders of this snooping behavior, compared to the rest of their team, according to the Dimensional Research survey commissioned by One Identity.

When it comes to general snooping of company information that is not sensitive, 71% of IT security executives admitted to this behavior, compared with 56% of IT security workers who did not hold a managerial position, the survey found.

The percentage of IT security executives willing to track down or access sensitive company performance information was a whopping 40%, compared with 17% for IT security team members who were not in a managerial role.

"I had an IT role in the past. There is always a temptation with privileges to explore where they should not explore. But what surprised me was how pervasive it is," says Jackson Shaw, senior director of product management for One Identity.

While the survey did not dig into the specific types of sensitive company performance information that IT executives sought, generally this type of information may fall into the realm of company profits and revenue, he noted. As for non-company performance information, IT security professionals may spend trolling through layoff lists, promotion lists, and employee salaries buried within the bowels of the human resources department, Shaw surmised.

"Most file servers at companies are not heavily locked down, and typically the IT security staff has the most privileges, so it's entirely possible that these people know what the monitoring technology is looking at and know how not to get caught," says Shaw.

He estimates that less than 50% of companies likely track the movements of their IT security teams and IT administrators as they move through the corporate network and other systems.

The survey also found that 92% of IT security professionals say that employees at their companies attempt to access the information they don't need to do their work. Also, 44% of IT security pros working at technology companies admit to searching for sensitive company information, compared to 36% at financial services companies or 21% of healthcare companies.

Guarding the Gatekeepers
Cybersecurity ethics is a topic that some colleges, as well as workshops, address. But often the topic of ethics may center on what an IT security professional should do when tracking down and dealing with hackers and cybercriminals.

However, cybersecurity professionals should be held to a higher standard when it comes to their own behavior, says Jane LeClair, president and CEO of the Washington Center for Cybersecurity Research and Development and former dean of the school of business and technology at Excelsior College in Albany, NY.

"As with any profession where sensitive information is available — medical, military, finances, etc. — those who are involved with the care and security of that information should be held to a higher standard," LeClair says. "With the use of powerful computers, those in the IT arena have been entrusted with not only the ability to access that sensitive data but to safeguard it as well. Part of that responsibility is the intrinsic control to restrain oneself from 'snooping into material that is beyond the scope of one's normal area of activity."

People tend to snoop out of natural curiosity and because their personal sense of accountability has not been adequately developed, LeClair explains.

Personal responsibility stems from a childhood where trust and integrity are ingrained at an early age and then continues through the maturing process that leads to adulthood, she adds, noting that people placed in positions of responsibility before they have "matured" and have developed appropriate life "filters" tend to have errors in judgment.

As for IT security executives who troll through their employer's data and information that is not tied to their work, LeClair points to an 19th century adage attributed to Lord Acton that power tends to corrupt and absolute power corrupts absolutely.

"Computers are, for now anyway, the ultimate instruments of information and power…. Knowledge is power," she says. "Executives and people in positions of responsibility seek control of their situations and those that might influence their status. Acquiring knowledge beyond what is personally needed to perform an assigned job or responsibility provides data and insights that can be filed away for future use and self-promotion. The more power and information you attain, the greater your position and the more power and information you seek to maintain your status."

Can Ethics be Trained?
While it may be human nature to snoop, the filters an individual places on their behavior can be a learned experience, LeClair says.

"Much of that comes from the upbringing you experience from childhood and carries on through schooling and into adulthood. Sadly, in seemingly increasing numbers, people are missing out on developing those filters of personal accountability and trust," she observes.

In the past, emphasis on attaining computer skills has focused on the nuts and bolts of acquiring those skills and less on "how" those learned skills should be applied, LeClair says.

With the current shortfall of skilled IT professionals, there has been a rush to fill the pipeline with individuals to fill those vacant seats, and in many cases, it seems the rush has increasingly cut short the emphasis on ethics, she adds.

"Wherever training or education is provided, from high schools to colleges, training centers to the workplace, ethics must take a prominent place in the curriculum," says LeClair. "In many cases, the ethics training that is received today by our cybersecurity students does not provide cases on these types of situations that would present themselves to the cyber professional."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/19/2017 | 8:36:04 AM
Security Pro?
Hardly IF you browse your company's data JUST to find out interesting stuff.  Doing so with a purpose - to see if walls can be breached - is entirely different.  
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Symantec Intros USB Scanning Tool for ICS Operators
Jai Vijayan, Freelance writer,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3988
PUBLISHED: 2018-12-10
Signal Messenger for Android 4.24.8 may expose private information when using "disappearing messages." If a user uses the photo feature available in the "attach file" menu, then Signal will leave the picture in its own cache directory, which is available to any application on the...
CVE-2018-10008
PUBLISHED: 2018-12-10
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended...
CVE-2018-10008
PUBLISHED: 2018-12-10
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace br...
CVE-2018-10008
PUBLISHED: 2018-12-10
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jen...
CVE-2018-10008
PUBLISHED: 2018-12-10
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.