Many employees in the modern workplace simply assume their electronic communications are being read by IT administrators. A new study released Thursday by IT security firm Cyber-Ark Software shows that those assumptions aren't too far off base.
The survey of 300 senior IT professionals at mid-market and enterprise firms yielded the disturbing news that a third admit that they or fellow administrators have "used the admin password to get at information that is otherwise confidential or sensitive," while nearly half say they have "accessed information on a system that was not relevant" to their jobs.
Presenting the results of their annual "Trust, Security and Passwords" at the recent Infosecurity Expo in London, Newton, Mass.-based CyberArk stressed the scandal of the two questions concerning snooping by IT staff, but the bulk of the study concerns more mundane areas of data leakage prevention such as the frequency with which passwords are changed on computer networks.
The results of the survey weren't surprising, said Adam Bosnian, VP of products and sales at CyberArk.
"With all the power and access these admins have, and then add in that with their privileged access they're anonymous, the temptation is enormous for this sort of activity," Bosnian said. "And these are not low-level guys. These are the guys running IT administration at their companies. So what emerges from this is that companies can't afford to just blindly trust their IT admins."
But color at least one IT security expert skeptical about the results of the CyberArk survey. Tom McArthur, president of Weston, Mass.-based IT security service provider Storbase, wonders if the vagueness of the "snooping" questions might have skewed the responses.
"Clearly, IT administrators need this access [to private data on their company's network]," McArthur told ChannelWeb. "The question I have is how they posed these questions about snooping. Are they really snooping or just doing their jobs?"
McArthur said reasons an IT administrator might need to access otherwise private data on mediums such as e-mail range from searching for missing or poorly archived messages to their responsibilities to maintain compliance at companies that have an official acceptable use policy.
"It's not uncommon for e-mail admins to set up an acceptable use policy and they'll monitor that. And it's completely legitimate in my mind," he said. "Now I have heard some of the IT guys I know have a chuckle about what they find, you know, 'We caught them saying this or that,' but it's not 'snooping' because it's company policy."
Next: The Appeal Of Outsourcing