88% of IT Admins Would Steal Passwords If Laid Off 448
narramissic writes "According to identity management firm Cyber-Ark's annual 'Trust, Security & Passwords' survey, a whopping 88% of IT administrators would steal CEO passwords, customer database, research and development plans, financial reports, M&A plans and the company's list of privileged passwords if they were suddenly laid off. The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details and people's personal emails."
Post here if you're a minority as well (Score:5, Informative)
I haven't, I wouldn't. At best you encounter some of those things during ordinary work or even unproductive boredom.. but I totally see no value in having such details of a place you no longer work.
(Of course here in Europe there's a due notice so you have plenty of paid time to find a new job, but still..)
Maybe I'm just daft or weak?
Re:Not reasonable (Score:5, Informative)
It's off topic, but please tell me more about your IT infrastructure. I promise to to do anything bad with it.
I am constantly amazed at how willing people are to tell you how to attack their own systems, particularly on Slashdot, where simply implying somebody is doing poorly will practically get you full description, network maps, and vulnerability reports.
Similarly, I was talking to a friend in the Army the other day about IT security, and he told me that he didn't think I could attack his unit's systems, then went into a long discussion about what protections are in place. Out of curiosity, I decided to find out what I could learn. He only clammed up when I started probing for specifics about password policies on a particular device.
People: please don't tell anybody about your IT configuration. At least not on a public forum like /. Admittedly, a lot of it is easy to find out other ways, but that's no reason to give that information out.
Re:a survey (Score:4, Informative)
Re:Strong morals? (Score:5, Informative)
Scoundrels always think everyone else is a scoundrel, too.
Personal security policy (Score:2, Informative)
That is why personal security is an important aspect of any security policy.
In Poland where live if you have a nontrivial IT job as admin it almost certainly requires you to have government certificiates. Such certificates allow you to handle secret information. Without it you basically cannot do any serious job. So I would think twice before geting information I am not intended to.
Also it should be a part of security policy that accounts and passwords are not shared and so on. So even if I would need to sack an admin and resulting conflict I would probably first lock all his access and then fire him. Not the other way around.
But to be able to do that you need strong and mature policies (which IMO is 80% of success) and technological support such as identity management system (which IMO is 20% of success).
Re:Not reasonable (Score:3, Informative)
Seconded. I work in banking, and the primary assumption in fraud prevention is that your procedures have to reasonably control fraud/theft attempts where fully authorised employees are involved - and then 'purely outside' fraud gets covered by that as well.
Wow, (Score:3, Informative)
88% though?!? That's staggering, I have a hard time believing that ethics in the IT industry are so poor to validate a number that large? I want to know details about who they surveyed to qualify that number.
I know that the sociopath mentality is the way of the road at the top of some parts of corporate American (especially in the energy industry it would seem), and I wouldn't be surprised to see this number if it related to executives based on the nightly news, but in my IT circles we look on that behavior with scorn rather than having envy to aspire to it. And frankly I just don't see this type of thinking any place within the company I currently work for, top to bottom.
This is really an amazing report. Frankly it makes me fearful at what type of reprise knee jerk reaction management types are going to take based on this story.
Sigh...
That brings up a good point... (Score:3, Informative)
I'd guess that they probably used a lot of leading or misleading questions in a poorly defined sample group simply to release some press kit.
Which makes them sales people and that's a much lower rung in the IT world.
Re:Layoffs vs. Firings (Score:3, Informative)
What if a company decides to make you "redundant" with zero warning (illegal in the uk) and zero severance package (also illegal in the uk)
You're being fired on the spot without being paid for the last few weeks work, but they call it a layoff, so you're fine, right? You'll get your severance in 6-12 months through a tribunal. Well, half of it after the no-win-no-fee solicitor's had his share...
Your potential employer wants a reference. Do they get it? Do they hell. Legal recourse? None. You want to pay your rent but even working 24/7 at minimum wage doesn't cover it, but that's ok because you were "laid off" not sacked. Sure the landlord will agree... And of course the local convenience store will give you credit on food so you can feed your self because you were "laid off"... yeahright
At the end of the day taking information is essential to a sysadmins survival outside the workplace. Sysadmins get special treatment because there's the perceived threat that once sacked we can and will do whatever we like, so getting rid of us is a quick process, usually involving the cutting of all ties such as the company's contractual obligations in regards to pay, even pay that we've already worked for
Having a little ammunition to "motivate" them in pre-tribunal discussions is essential
Of course, if companies behaved responsibly like my last redundancy, there'd be no need for any of this childishness, and you'd be laid off with the understanding that yes, you know all the root passwords but you promise not to use them. An industry-standard severance package, clear reference procedure and an honest handshake means I'll uphold my end of that bargain with no problem, but god help any company that ever tries to fuck me over again...
Sysadmins generally don't go looking for ways to fuck companies, they just know how to protect themselves, and not forgetting passwords is one way to achieve that
Re:Not a surprise. (Score:4, Informative)
Most of them aren't young. I'm 33, and the majority are about my age or older. With one exception, the youngest is 30.
Even when I was 'having my fun,' I was smart enough not to talk about it out loud at work. Keys were sometimes passed along quietly, but that usually happened when walking between buildings. Bursting into a room announcing that you've found a download site for the movie being released this weekend is bad form, but it's happened a few times this year alone.