Jun 04 2007
I’m not sure why it surprises anyone that a study indicates one in three IT employees would abuse their access. To me, this just illustrates basic human nature; a certain number of people are going to abuse their power, no matter what. It’s true in politics, it’s true in the board room, why would the server room be any different?
There’s been a lot of talk about the insider threat versus the threat of someone coming from the outside. Both are important issues to deal with, but this study highlights two reasons I think the insider threat should be a bigger concern than it is. First, the fact that this study surprises anyone is an indicator that we’re not taking the issue seriously enough. Second, IT professionals have the opportunity and ability to access more internal resources than most users, all that needs to be added is a motive and you’ve got a breach.
This study was concerned with the abuse of passwords, but I wonder what a overall ethics survey of the IT field would turn up. I’m willing to bet that to the more cynical amongst us, it wouldn’t be a big surprise. I’d also like to see the same sort of survey given to a sample group of CISSP’s. Now that survey might turn up a few surprises, since we signed a code of ethics to become certified. Would we do all that much better than the rest of the IT field?
People are people, good, bad and ugly. IT professionals are no better or worse than anyone else. This is one of the reasons we have checks and counterbalances in our systems, so that the abuse of one person is hopefully caught by another professional.
Cyber-Ark wanted to prove that passwords suck, the stuff about IT staffers was just what the blogosphere latched onto. Guess what, everyone knows password’s suck, but we haven’t come up with a better alternative yet. And even when we do, people are going to abuse their privileges.