Companies have been warned to closely monitor IT managers and their access to critical data as they often "possess more knowledge than the CEO".
Principal consultant with corporate security specialist Insight Intelligence Joe Goicoechea said IT staff pose a real threat if organisations do not regularly undertake audits to ensure they aren't just wandering through systems without accountability mechanisms in place.
Goicoechea supports surveillance of IT managers, especially those who are disgruntled with proof of logon usage and systems accessed. Audit trails, he said, are used extensively in large organisations and can provide proof of misuse and unauthorised access.
He said it would be inappropriate to say organisations need to spy on IT professionals; instead he referred to it as accountability.
Australian IT professionals who spoke with Computerworld agreed that while it is possible for IT people to abuse their powers, the consequences are high.
Huntsman Chemical Company Australia IS manager Wes Kosior said audit trails are useful, "but a good IT person would know how to cover his or her tracks".
He said IT staff with full access can be a risk, but "there is a need to understand the staff and have trust in them".
Security policies apply to the entire company including IT staff, he said, and IT staff in large organisations do not have access to all company information.
"Not every IT person has access to sensitive information and normally only one or two people would have global access; our IT policy is signed by all users including IT," Kosior said.
While no formal audits of IT staff activities are undertaken, he said log files of some high-level transactions are available for most systems. Kosior said this is necessary to "carry out investigations, sometimes to clear someone or to back up accusations".