At least one in four IT security staff use their privileged login rights to look at confidential information, a survey has revealed.
More than a quarter of the 300 IT professionals polled in the latest annual password survey by identity management firm Lieberman Software said they could not resist peeking at redundancy lists, payroll information and other sensitive data including, for example, Christmas bonus details.
The survey also showed that a fundamental lack of IT security awareness in enterprises, particularly around password control and privileged logins, is potentially paving the way for a further wave of data breaches in 2012.
Some 42% of respondents said that in IT staff in their organisations are sharing passwords or access to systems or applications, 26% said that they were aware of an IT staff member abusing a privileged login to illicitly access sensitive information, and 48% said their companies are still not changing their privileged passwords within 90 days as required by most major regulatory compliance mandates.
“Our survey shows that senior management at some of the largest organisations are still not taking the management of privileged access to their most sensitive information seriously,” said Philip Lieberman, president and chief executive officer of Lieberman Software.
Where there is unsupervised, unaudited and unauthorised access to bonus information, IT security is seriously flawed, he said.
Organisations that fail to manage privileged access to systems could end up in the same situation as UBS AG, which lost $2.3bn because rogue trader Kweku Adoboli was allowed unfettered access to their systems, said Lieberman.
“These fundamentally careless practices and procedures revealed by the IT departments of the organisations we surveyed could cost them dearly in 2012,” he said.
Privileged accounts hold elevated permission to access files, install and run programs, and change configuration settings. Their misuse is a major reason for data leakage, said Liebeman.