No one on your company’s IT staff would access confidential information about co-workers without permission, right?
Are you sure?
One third of IT employees admit to using their access rights to view sensitive and private information in company databases, according to a recent survey by Cyber-Ark.
Common types of data perused: employee e-mail, salaries and contact info.
To make matters worse, the survey found 30% of companies change their privileged access passwords only once a quarter — and 9% never change them. That means the snooping can continue even after a staffer changes roles or leaves the company.
Dealing with insider threats
Of course, most technology employees wouldn’t think of doing anything disruptive, illegal or unethical. But as recent news stories have shown — like the one about the techie in San Francisco who blocked access to the city’s network and refused to hand over the password — there are some bad apples out there.
To protect private data, HR and IT management need to work together to make sure tech employees are following the rules. Here are some preemptive steps to take:
- Perform reference/background checks — Checking applicants’ history is one way to keep out IT staffers who might abuse their access privileges.
- Make sure the rules are clear — IT employees can be more likely to violate policies than other employees because they have a better idea of how to get around technology controls. That’s why it’s important to have rules about who can access what and discipline people who break them.
- Restrict access — Employees should only be able to view data that they need for their jobs.
- Change passwords — Passwords should be changed regularly and be complex enough to stay unpredictable. That’ll reduce the likelihood of unauthorized employees (or even ex-employees) accessing things they shouldn’t.