When this question gets asked, most companies will look suspiciously at the front door, or at the companies firewall, and while outside hackers or a Social Engineering attack against the nice and naive receptionist are valid threats, recent studies show that maybe you should be more concerned about the “police” you hire to monitor your companies digital information.

According to U.S. information security company Cyber-Ar, who surveyed 300 senior IT professionals, one in every three admitted to secretly snooping on other users data, and almost half said they had accessed data that was not relevant to their role in company.

Mark Fullbrook, Cyber-Ark’s UK director stated:

“All you need is access to the right passwords or privileged accounts and you’re privy to everything that’s going on within your company,”

Administrative passwords, which can seem innocuous to most, are the keys to the kingdom for IT people, and while general user passwords are changed frequently, most administrative passwords can remain the same for long periods of time, allowing previous IT employees unlimited access to corporate information.

Does this mean that you need to keep a crook eye on the geeky sysadmin who seems to have had just a little too much coffee?  No, not really.  Unfortunately this is a double edged sword.  Preventing your IT staff from having unlimited access prevents them from doing the job they are paid to do, but opens up the company to the possibility of data leakage.

The only real solution is proper background and hiring standards, developing IT employees to be long-term employees, and doing regular password audits, especially post termination.