IT snooping - what is your team looking at?

A recent survey from Cyber-Ark Software reveals the following information

Whilst you sit there innocently working away, little do you realize that a third of your IT colleagues have been snooping around the network, looking at highly confidential information, such as salary details, M & A plans, people’s personal emails, board meeting minutes and other personal information.

…One third of the survey sampled admitted to using their privileged rights to access information that is confidential or sensitive by using the administrative passwords as a means of peeking at information that they are not privy to.

I don’t think these results will surprise anyone. In fact, only last month a case of an employee caught-in-the-act snooping on somebody elses email passed by my desk and I’m sure there are many more that go by unnoticed. Another article here goes into more specifics on employee snooping within an American healthcare business:

Snooping into celebrity health records by workers at UCLA Medical Center sheds light on a largely hidden ailment facing employers: their own people peeking at confidential data.

And then there was the well publicized case about American State Department workers snooping on passport applications.

There are a whole range of controls to suggest but I reckon it’s more down to company culture. Having a standard of ethics that all employees have to read is a good start. More fundamentally promoting a decent and open work environment where employees feel valued, get paid a decent wage, and are treated with respect is the best control of all. 

Curiosity however, is human nature. If we want to protect private data from the possibility of access by a snooping IT administrator then we need to also have a decent set of process and technical controls, including auditing. The message needs to be loud and clear that IT staff snooping and accessing resources they have no reason to be viewing will not be tolerated.