Dark secrets, ugly truths: When ethics and IT collide

1 2 Page 2
Page 2 of 2

Meanwhile, new data from the Ponemon Institute reveals how commonly IT employees bend the rules. In a June 2007 poll of more than 16,000 U.S. IT practitioners, 62% said they had accessed another person's computer without permission and 50 percent read confidential or sensitive information without a legitimate reason. In addition, 42% said they had knowingly violated their company's privacy, security or IT policies.

And these weren't newbies or outliers. The average experience level was 8.4 years, and about 32% of respondents were at or above the manager level. Over 81% worked at companies with more than 5,000 full-time employees.

That's in keeping with the ethical standards of Tim, a systems administrator who works at a Fortune 500 agricultural business. When Tim, who asked that his last name not be published, happened across an unencrypted spreadsheet of salary information on a manager's PC, he copied it. He didn't share the information with anyone or use it to his advantage. "I didn't take it for nefarious reasons -- I just took it to prove that I could," he says.

It was an impulsive act, he admits, that stemmed from frustration with his employer. Feeling that his needs were being ignored by central IT, it was a way to assert some power. "Information is power," he says.

Tim's actions point to a disturbing trend: IT professionals justifying ethically questionable behavior. That path can and sometimes does end in clearly criminal behavior, says private investigator Chuck Martell.

"We started seeing a few cases about seven or eight years ago," says Martell, who is managing director of investigative services at Veritas Global, where he investigates corporate fraud. "Now we're [investigating] a tremendous amount of them."

IT as the bad guy

One of the most common crimes is embezzlement. The typical modus operandi, says Martell, is to set up one or more shell companies in a different city or state and then send invoices for purported purchases of products or services by the employer. "That's a common theme," says Martell. "We know exactly how they do this. We know where to look." Martell's company recently cracked such a case and recovered $360,000 plus stolen hardware.

The good news is that in half of the cases, the perpetrator was turned in by a fellow IT worker, says Martell.

In the meantime, organizations wanting to mitigate how much private information IT workers can see should consider better control systems or perhaps encryption techniques, suggests Ponemon. "So much of what happens in the IT environment is transmitted in clear text," he points out. "Encryption is getting so convenient, why not encrypt [data] till it gets to its final destination?"

Whichever side of the line they're on, IT workers will continue to muddle through ethical dilemmas on their own and wrestle with their consciences afterward.

Perhaps it will ease the conscience of Bryan, who never reported the child pornography he found to law enforcement, to hear that he did just what labor attorney Hynds would've advised in his case.

"Let the company handle it," he says. "Make sure you report violations to the right person in your company, and show them the evidence. After that, leave it to the people who are supposed to be making that decision."

Does IT need a code of ethics?

Lawyers have them. Doctors have them. Is it time, in this age of unfettered digital access, for IT to have a code of ethics? At least some prominent players in the industry think so.

"We need a real call to arms for a code for IT," says Larry Ponemon, founder and chairman of the Ponemon Institute.

Some groups, including the Association for Computing Machinery and the Association of Information Technology Professionals, have adopted generalized ethics codes. The IEEE has both a general code of ethics and a software engineering code of ethics.

Five certification groups are also taking a stab at the effort. Global Information Assurance Certification, Information Systems Audit and Control Association, International Information Systems Security Certifications Consortium Inc., Information Systems Security Association and ASIS International are attempting to work together to draw up a code of ethics for IT security professionals, according to Stephen Northcutt, president of the SANS Technology Institute.

But "getting five organizations to dance together is proving quite challenging," Northcutt observes. Indeed, their greatest challenge may well be deciding what does, and does not, go into such a code.

"I think it would be really hard to reach consensus," says Ponemon. "You talk to five people and you get a hundred ideas."

If and when a universal code is ever adopted, the next step would be standards of practice that would serve as teeth behind the code -- a sort of American Bar Association for IT. If an IT worker violated the standards, in theory he might be "disbarred" from the profession.

Tam Harbert is a Washington-based freelance journalist specializing in technology, business and public policy.

Learn more about this topic


This story, "Dark secrets, ugly truths: When ethics and IT collide" was originally published by Computerworld.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
SD-WAN buyers guide: Key questions to ask vendors (and yourself)