From the Medicine Cabinet to the Data Center – Snooping Is Still Snooping

Friday, November 03, 2017

Jackson Shaw

2419b9dc2aa15bd1efadeed440a28aad

We’ve all done it in one form or another. You go to a friend’s house for a party and you have to use the restroom. While you are there, you look behind the mirror or open the cabinet in hopes of finding out some detail -- something juicy -- about your friend. What exactly are you looking for? And why? Are you feeding into some insecurity? You don’t really know, you just know you are compelled to look.

Turns out that same human reaction carries forward to your place of employment. 

At One Identity we recently conducted a global survey that revealed a lot of eye-opening facts about people’s snooping habits on their company’s network.  At a high level, the survey revealed that when given the opportunity to look through sensitive company data that employee may not be permitted to access -- the instinct is to snoop. Before we get into specific  results, here are the demographics:

  • We surveyed over 900 people from around the world.
  • Countries include the U.S., U.K., Germany, France, Australia, Singapore and Hong Kong.
  • Eighty-seven percent have privileged access to something within their place of employment.
  • They all have some level of security responsibility with varied titles ranging from executive to front-line security pros.
  • Twenty-eight percent are from large enterprises (>5,000 employees)); 28 percent from mid-sized enterprises (2,000 to 5,000 employees); the remainder were from organizations with less than 2,000 employees.

Key Finding Number One: 92 percent of respondents stated that employees at their company attempt to access information that they do not need. 

Think about that. Ninety-two percent of us are trying to access the information we don’t need to get our jobs done. Imagine if any employee at your company could access sensitive data like salary. That would. Now imagine employees obtained access to financial data, customer data or merger information -- and then shared it. The result could be catastrophic to your business.

Key Finding Number Two: 66 percent of the security professionals surveyed have tried to access the information they didn’t need.

Worse yet, these are security people that probably have some form of elevated privileges. This means not only are they attempting to access that information but in many cases, they are actually obtaining access and ultimately abusing that privilege.

Key Finding Number Three: Executives are more likely to snoop than managers or front-line workers.

Interestingly, IT security executives are the most likely to look for sensitive data not relevant to their job than any other job level. This is worrisome for many since they tend to have greater access rights and permissions -- once again, indicated abuse of power.

The bottom line here is that organizations should be alarmed by these findings. A common myth among many is that data is safe when it’s on a company network and in the hands of its trusted employees -- it’s the outsiders and hackers you have to look out for. While the latter is certainly true, the data shows that the majority of all employees -- even those within the ranks of IT security groups -- are nosy when given the opportunity to be. Implementing best practices around identity and access management -- like role-based access rights and permissions and applying identity analytics to spot any signs of unusual access behavior -- can help organizations safeguard themselves from letting sensitive data fall into the wrong hands before it’s too late.

About the author: Jackson Shaw is senior director of product management at One Identity, an identity and access management company formerly under Dell. Jackson has been leading security, directory and identity initiatives for 25 years.

Possibly Related Articles:
33903
Enterprise Security Security Awareness Security Training
Access Management Enterprise Network snooping information access
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.