One in three information technology professionals abuses administrative passwords to access confidential data such as colleagues' salary details, personal emails or board-meeting minutes, according to a survey.
US information security company Cyber-Ark surveyed 300 senior IT professionals, and found that one-third admitted to secretly snooping, while 47 percent said they had accessed information that was not relevant to their role.
"All you need is access to the right passwords or privileged accounts and you're privy to everything that's going on within your company," Mark Fullbrook, Cyber-Ark's UK director, said in a statement released along with the survey results on Thursday.
"For most people, administrative passwords are a seemingly innocuous tool used by the IT department to update or amend systems. To those 'in the know' they are the keys to the kingdom," he added.
Cyber-Ark said privileged passwords get changed far less frequently than user passwords, with 30 percent being changed every quarter and 9 percent never changed at all, meaning that IT staff who have left an organization could still gain access.
It added that seven out of 10 companies rely on outdated and insecure methods to exchange sensitive data, with 35 percent choosing email and 35 percent using couriers, while 4 percent still relied on the postal system.
一项调查显示,三分之一的IT从业人员利用自己的网管权限偷窥同事的工资、私人电邮及董事会会议记录等一些保密信息。
美国Cyber-Ark信息安全公司对300名高级IT人员开展的一项调查显示,三分之一的人承认自己曾偷窥过公司的保密信息及同事的隐私,47%的人说他们曾浏览过与本职工作无关的信息。
本周四调查结果公布时,该公司英国区总监马克•福尔布鲁克在发言中说:“你只需输入正确的口令或登录有特别权限的管理员账户,公司的所有机密信息就一览无余了。”
他说:“在多数人看来,管理员密码只不过是IT部门用于更新或维护系统的一个工具,不会有什么害处。而对于那些‘知情人士’来说,这可是‘打开王国的钥匙’。”
Cyber-Ark公司说,网管密码的修改频率比普通用户密码要低得多。其中30%的网管密码每季度修改一次,9%从未修改过,这意味着IT人员离职后还能用管理员密码登录以前公司的内部系统。
此外,70%的公司仍采用一些落后、不安全的方式传送敏感数据;分别有35%的公司用电子邮件和快件传送数据信息,而还有4%的公司仍采用邮政系统传送。