Study Raises Spectre Of E-Mail Snooping By IT Pros

Many employees in the modern workplace simply assume their electronic communications are being read by IT administrators. A new study released Thursday by IT security firm Cyber-Ark Software shows that those assumptions aren't too far off base.

The survey of 300 senior IT professionals at mid-market and enterprise firms yielded the disturbing news that a third admit that they or fellow administrators have "used the admin password to get at information that is otherwise confidential or sensitive," while nearly half say they have "accessed information on a system that was not relevant" to their jobs.

Presenting the results of their annual "Trust, Security and Passwords" at the recent Infosecurity Expo in London, Newton, Mass.-based CyberArk stressed the scandal of the two questions concerning snooping by IT staff, but the bulk of the study concerns more mundane areas of data leakage prevention such as the frequency with which passwords are changed on computer networks.

The results of the survey weren't surprising, said Adam Bosnian, VP of products and sales at CyberArk.

Sponsored post

"With all the power and access these admins have, and then add in that with their privileged access they're anonymous, the temptation is enormous for this sort of activity," Bosnian said. "And these are not low-level guys. These are the guys running IT administration at their companies. So what emerges from this is that companies can't afford to just blindly trust their IT admins."

But color at least one IT security expert skeptical about the results of the CyberArk survey. Tom McArthur, president of Weston, Mass.-based IT security service provider Storbase, wonders if the vagueness of the "snooping" questions might have skewed the responses.

"Clearly, IT administrators need this access [to private data on their company's network]," McArthur told ChannelWeb. "The question I have is how they posed these questions about snooping. Are they really snooping or just doing their jobs?"

McArthur said reasons an IT administrator might need to access otherwise private data on mediums such as e-mail range from searching for missing or poorly archived messages to their responsibilities to maintain compliance at companies that have an official acceptable use policy.

"It's not uncommon for e-mail admins to set up an acceptable use policy and they'll monitor that. And it's completely legitimate in my mind," he said. "Now I have heard some of the IT guys I know have a chuckle about what they find, you know, 'We caught them saying this or that,' but it's not 'snooping' because it's company policy."

Next: The Appeal Of Outsourcing

Andy Harper agrees in part with McArthur, saying "it's a fine line on enforcing acceptable use policies" when it comes to respecting the privacy of employees. Harper, CIO of managed IT service provider Gaeltek, said monitoring and enforcing policies governing such things as employee Internet surfing can yield "astonishing and even embarrassing" details that workers would no doubt prefer weren't known.

But Harper has also seen first-hand the damage some internal IT administrators do to their companies.

"We took over network management at a client in Bloomington, Ill. who suffered exactly that problem of a disgruntled employee accessing all the private data," he said. "The manager asked us in to do an audit and I was there for all of an hour when they said, 'Can you please lock the network down and lock this guy out?'"

Harper added that such situations make outsourcing IT management to companies like Manassas Park, Va.-based Gaeltek all the more attractive to businesses. Unlike internal administrators, outside service providers have no real incentive for digging around in the data for something juicy, he said.

"I don't really care what my client's data is. I just care about preserving it," Harper said. "There's an advantage to outsourcing data management, because we have absolutely no interest in the office gossip or who's making what salary, etc."

McArthur, who said he's dealt directly with "500 IT guys in the past five years," said there may be some bad eggs in internal IT departments, but he finds it hard to believe that as many are taking liberties with their data access privileges as the CyberArk survey indicates.

"Clearly, the IT guys are not the highest paid guys in the organization, but they have access to everything," McArthur said. "To me, it's just amazing what an IT person could do. But the good thing is that there seems to be a high degree of professionalism amongst them.

"My experience has been that with IT people, their general nature is that they're fairly honest people and they're not doing this kind of stuff."

While the headlines the CyberArk survey is garnering play up the malicious angle on data snooping by IT administrators, Bosnian said ill intent is not always the cause of privileged access problems.

"It's not always done maliciously," he said. "Sometimes it's a lark or even a mistake. But at the end of the day, companies still need to protect their data from these kinds of occurrences, whether it's an insider threat, a lark or an accident."