Contrary to security best practices, most employees are seeking out, and finding, information that is irrelevant to their jobs.
According to a global survey of more than 900 IT security professionals from One Identity, 92% of respondents reported that they have caught their employees attempting to access information they don’t need for their day-to-day work—and nearly one in four (23%) admitted this behavior happens frequently.
This is also a case of physician, heal thyself: Nearly two in three (66%) IT security professionals admit they have specifically sought out or accessed company information they didn’t need. IT security executives are the guiltiest by level: 71% of executives admit to seeking out extraneous information, compared to 56% of non-manager-level IT security team members. Additionally, 45% of executives admit to snooping for or accessing sensitive company performance information specifically, compared to just 17% of non-manager team members.
It all adds up to a major “snooping” problem among today’s workforce.
The survey, conducted by Dimensional Research, found that the transgressions among IT pros include the abuse of elevated rights attributed to the IT security role. These are used to access a range of sensitive information, but company performance information especially is a hot commodity: More than one in three (36%) of IT pros admit to looking for or accessing sensitive information about their company’s performance, apart from what is required to do for their jobs.
“While insider threats tend to be non-malicious in intent, our research depicts a widespread, intrusive meddling from employees when it comes to information that falls outside their responsibility—and it could be that meddling that ends up putting their employers in hot water,” said John Milburn, president and general manager of One Identity.
The survey also found that the smaller the company, the bigger the snoop: 38% of IT security professionals at companies with 500-2,000 employees admit to looking for or accessing sensitive performance data, versus 29% of professionals at companies with more than 5,000 employees.
Also, workers in technology companies most likely to go on a sensitive information hunt: About 44% of respondents working for technology companies admit to searching for sensitive company performance information, compared to 36% in financial services, 31% in manufacturing and just 21% in healthcare.
“Without proper governance of access permissions and rights, organizations give employees free reign to move about the enterprise and access sensitive information like financial performance data, confidential customer documentation or a CEO’s personal files,” Milburn added. “If that information winds up in the wrong hands, corporate data loss, customer data exposure or compliance violations are possible risks that could result in irreversible damage to the business’s reputation or financial standing.”