Study: IT admins read private e-mail

Files, wage data, personal e-mails and HR background may not be as private as thought

IT staff routinely snoop on users, riffling through their e-mails and personal files, a newly released survey has found.

One IT administrator laughingly said: "Why does it surprise you that so many of us snoop around your files, wouldn't you, if you had secret access to anything you can get your hands on?"

Few ordinary users realize that one in three of their IT work colleagues are snooping through company systems, peeking at confidential information such as your private files, wage data, personal e-mails, and HR background, using admin privileges.

These are the findings of a survey released today by digital vaulting specialist Cyber-Ark Software, which carried out the research at last month's Infosecurity Exhibition as part of its annual survey into "Trust, Security and Passwords."

What's more, the survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job, with no one to stop them.

More than 200 IT professionals participated in the survey with many revealing that although it wasn't corporate policy to allow IT workers to access systems after termination, over one-quarter of respondents knew of another IT staff member who still had access to sensitive networks even though they'd left the company long ago.

Post-It Notes and passwords

More than half of people still keep their passwords on a Post-It note, in spite of all the education and reminders from the IT security industry to do it differently. Even IT pros do it too: over half of respondents admitted to using Post-It notes to store passwords to administrator accounts.

One IT administrator said: "Sure, it's easy for an employee to update the personal password to their laptop, but to change the administrator password on that same machine? It would take days for IT to do them all by hand. In the end, we just pick one password for all the systems and write it down."

Administrative passwords

One-fifth of all organizations admitted that they rarely changed their administrative passwords with seven percent saying they never change administrative passwords. This may explain why one-third of all people questioned would still have access to their network even if they'd left the company. Eight percent of IT professionals said that the manufacturer's default admin password on critical systems had never been changed. This remains the most common way for hackers to break into corporate networks.

Gary McKinnon, dubbed "the most profligate military hacker of all time" for gaining entry to 90 US military computer systems computers by scanning for blank administrator accounts, said: "The easiest way to infiltrate a company's network is to look for administrative passwords which are left blank, still have the manufacturer's default password or just use obvious names. Once you find these, which are unbelievably simple and common to find, you're into the system and have the highest level of authority -- bingo you've got control of the company's system."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Carnegie Mellon University AustraliaCritical SystemsMellon

Show Comments