InfoSec Pros Among Worst Offenders of Employer Snooping

A majority of IT security professionals admit to trolling through company information unrelated to their work -- even sensitive material.

IT security professionals often cross the ethical line when it comes to their employer, with 66% of survey respondents admitting that they seek out and access company information that they didnt need to do their work, according to a survey released today.
The global survey, which queried 913 IT security professionals, found 36% of respondents were willing to take it a step further and admitted to hunting down, or accessing, sensitive company performance information that was irrelevant to their work.
And it turns out that IT security executives were the worst offenders of this snooping behavior, compared to the rest of their team, according to the Dimensional Research survey commissioned by One Identity.
When it comes to general snooping of company information that is not sensitive, 71% of IT security executives admitted to this behavior, compared with 56% of IT security workers who did not hold a managerial position, the survey found.
The percentage of IT security executives willing to track down or access sensitive company performance information was a whopping 40%, compared with 17% for IT security team members who were not in a managerial role.
I had an IT role in the past. There is always a temptation with privileges to explore where they should not explore. But what surprised me was how pervasive it is, says Jackson Shaw, senior director of product management for One Identity.
While the survey did not dig into the specific types of sensitive company performance information that IT executives sought, generally this type of information may fall into the realm of company profits and revenue, he noted. As for non-company performance information, IT security professionals may spend trolling through layoff lists, promotion lists, and employee salaries buried within the bowels of the human resources department, Shaw surmised.
Most file servers at companies are not heavily locked down, and typically the IT security staff has the most privileges, so its entirely possible that these people know what the monitoring technology is looking at and know how not to get caught, says Shaw.
He estimates that less than 50% of companies likely track the movements of their IT security teams and IT administrators as they move through the corporate network and other systems.
The
survey
also found that 92% of IT security professionals say that employees at their companies attempt to access the information they dont need to do their work. Also, 44% of IT security pros working at technology companies admit to searching for sensitive company information, compared to 36% at financial services companies or 21% of healthcare companies.
Guarding the Gatekeepers
Cybersecurity ethics is a topic that some colleges, as well as workshops, address. But often the topic of ethics may center on what an IT security professional should do when tracking down and dealing with hackers and cybercriminals.
However, cybersecurity professionals should be held to a higher standard when it comes to their own behavior, says Jane LeClair, president and CEO of the Washington Center for Cybersecurity Research and Development and former dean of the school of business and technology at Excelsior College in Albany, NY.
As with any profession where sensitive information is available — medical, military, finances, etc. — those who are involved with the care and security of that information should be held to a higher standard, LeClair says. With the use of powerful computers, those in the IT arena have been entrusted with not only the ability to access that sensitive data but to safeguard it as well. Part of that responsibility is the intrinsic control to restrain oneself from snooping into material that is beyond the scope of ones normal area of activity.
People tend to snoop out of natural curiosity and because their personal sense of accountability has not been adequately developed, LeClair explains.
Personal responsibility stems from a childhood where trust and integrity are ingrained at an early age and then continues through the maturing process that leads to adulthood, she adds, noting that people placed in positions of responsibility before they have matured and have developed appropriate life filters tend to have errors in judgment.
As for IT security executives who troll through their employers data and information that is not tied to their work, LeClair points to an 19th century adage attributed to Lord Acton that power tends to corrupt and absolute power corrupts absolutely.
Computers are, for now anyway, the ultimate instruments of information and power…. Knowledge is power, she says. Executives and people in positions of responsibility seek control of their situations and those that might influence their status. Acquiring knowledge beyond what is personally needed to perform an assigned job or responsibility provides data and insights that can be filed away for future use and self-promotion. The more power and information you attain, the greater your position and the more power and information you seek to maintain your status.
Can Ethics be Trained?
While it may be
human nature to snoop
, the filters an individual places on their behavior can be a learned experience, LeClair says.
Much of that comes from the upbringing you experience from childhood and carries on through schooling and into adulthood. Sadly, in seemingly increasing numbers, people are missing out on developing those filters of personal accountability and trust, she observes.
In the past, emphasis on attaining computer skills has focused on the nuts and bolts of acquiring those skills and less on how those learned skills should be applied, LeClair says.
With the current shortfall of skilled IT professionals, there has been a rush to fill the pipeline with individuals to fill those vacant seats, and in many cases, it seems the rush has increasingly
cut short the emphasis on ethics
, she adds.
Wherever training or education is provided, from high schools to colleges, training centers to the workplace, ethics must take a prominent place in the curriculum, says LeClair. In many cases, the ethics training that is received today by our cybersecurity students does not provide cases on these types of situations that would present themselves to the cyber professional.
Related Content:
IT Pros Wrestle With Ethics
Corporate Ethics are Situational
Blackphone Promises To Block Snooping
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity
agenda here
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
InfoSec Pros Among Worst Offenders of Employer Snooping