Last issue we talked about the recent survey of IT managers concerning risk management in their enterprises conducted for Courion. Today we'll look at another recent survey which included IT managers -- and more.
Cyber-Ark has just released results of its fifth annual "Trust, Security and Passwords" survey, conducted in the spring of 2011 with 1,422 IT staff and C-level professionals across North America and EMEA (Europe, Middle East and Africa).
One eye-opener was the extent to which IT personnel admitted to insider data breach: When asked if they had ever accessed information on a system that was not relevant to their role, 28% of North American IT staff respondents admitted to snooping, while an even greater number in EMEA, 44%, admitted to the same behavior. Similarly, 74% of North American respondents and 31% of EMEA respondents said that they or one of their colleagues had used an administrative password to access information that was otherwise confidential or sensitive.
This simply reinforces results others have seen -- that the prying eyes looking at private data are more often located within the organization than outside.
For example, to those of you feeling smug about the security you have in place already, the question, "Can you get around any controls that have been put in place to monitor your privileged access?" just over 40% of IT personnel and 47% of C-level personnel answered with a resounding "yes"!
Interestingly, when asked which department was most likely to snoop confidential information, the overwhelming choice was IT (picked by 53% of EMEA IT staff, 45% of U.S. IT staff and 52% of C-level staff).
Adam Bosnian, executive vice president of Americas and corporate development, Cyber-Ark Software, summed up the results this way: "Privileged accounts are the key tool that external attackers and insiders leverage to access and exfiltrate an organization's sensitive information. Security teams need to start with improving the protection of these key internal targets -- not simply building bigger walls around the enterprise."
In light of this survey and of what we now know about the RSA data breach (see "Accentuate the positive, obfuscate the negative"), we should all take his words to heart.
You can find the entire survey results (as well as those for the previous two years) at the Cyber-Ark website -- interesting reading!