IT pros aren’t confident that their company can fend off data breaches, according to a recent survey – and part of the blame lies inside the IT department.
IT staffers don’t think their company is doing a great job at preventing cyber attacks — at least, they’re not confident enough to bet money on it, according to a survey conducted by Lieberman Software at the recent RSA Conference 2013 conference.
When 250 conference attendees were asked if they would bet $100 that their organization would be free from data breaches over the next six months, 73% of them said no.
As usual, part of the problem is the company’s users: Most IT pros (81%) said their organization’s employees don’t follow the security rules put in place by the IT department. That’s especially dangerous since 75% also said employees have access to more data than they need to do their jobs.
IT creates problems, too
But the survey also uncovered similar issues in the IT department — most tech employees have access privileges that exceed what they need for their positions. And those privileges are often abused.
More than half (64%) of respondents said they can get to information they don’t need. And more than a third (38%) said they’ve seen a co-worker view information that he or she shouldn’t have.
IT employees often present the biggest insider threat in a organization. Not only do tech staffers have access to a lot of data, they also typically have the know-how needed to get information and cover their tracks.
To help protect information, many organizations have started keeping a close watch on users’ access privileges. But the Lieberman survey suggests IT managers should start doing the same thing inside their own departments.
Organizations should keep an updated list of all the privileged accounts that exist on the company’s network so they can easily audit who has access to what. It’s also a good idea to monitor how accounts are used to check for suspicious activity.
In addition, more than half (54%) of the IT pros that caught a snooping co-worker didn’t report the offender. Companies may want to address that kind of situation in their policies and IT staff training.