One in three IT administrators say they or one of their colleagues have used top-level admin passwords to pry into confidential or sensitive information at their workplace, according to a survey by a password-management vendor.
Nearly half also confessed that they have poked around systems for information not relevant to their jobs.
“We asked these questions last year, too,” said Adam Bosnian, vice-president of product strategy and sales for Cyber-Ark, a Newton, Mass.-based maker of password file security management software. “And we got similar results. So on one hand, the results weren’t surprising. What was surprising initially — and this time around, too — is that people admit to it.”
Last month, Cyber-Ark polled approximately 300 senior IT professionals at a London security conference and trade show, asking them a dozen questions about their password practices. The majority of those surveyed said they work for companies with more than 1,000 employees.
The fact that a third acknowledged they had abused an admin password to access out-of-bounds information shouldn’t surprise anyone, said Bosnian. “Everyone thinks that IT administrators are the trusted ones, and it’s all the rest that we need to worry about. But admin passwords not only give administrators a lot of power, they also provide a lot of anonymity.”
That combination is too tempting for some to fight, and would explain the high number of respondents who said that they had poked into places they didn’t belong, Bosnia added. “People think, ‘I feel a little bit safer’ when they’re using an admin password. There could be hundreds of people with access to that password.”
Cyber-Ark’s survey also asked IT workers to select three things they’d try to take with them if they were told they would be fired the next day. The top two vote-getters: customer database (35 per cent) and a list of all privileged passwords (31 per cent). “That’s not really surprising either, is it?” said Bosnian. “The customer database is one of the company’s most valuable assets.”
The poll also revealed behavior that wouldn’t make any security best practices lists. Almost a third – 28 per cent — of the IT professionals polled said that they’d written privileged passwords on paper, while nearly one in ten admitted that they never changed critical passwords.