Unauthorized snooping in the office may not necessarily be on the rise in Asia, but companies are becoming more attuned to the problem and looking to address associated risks, according to a security practitioner.
P.F. Vilquin, security director for Asia-Pacific and Japan at CA Technologies, told ZDNet Asia in an e-mail interview that employee abuse of system administrative privileges to access data in the corporate network has "always" been an issue. The consequences, he added, are typically more severe when the abuse is carried out by IT staff.
Such behavior, he noted, does not appear to be getting more common but companies are now more sensitive to the problem and do understand the different levels of access to data and risks associated with "super users".
His assessment echoes the findings of a recent survey of 400 senior IT professionals in the United Kingdom and United States released earlier this month by Cyber-Ark Software. The study revealed 41 percent of respondents admitted they or their colleagues abused administrative passwords to snoop on information such as customer data and human resource records.
In addition, over two-third of respondents said they had previously accessed data that was not relevant to their role. Some 54 percent also pointed to the IT department as the most likely culprit of snooping activities.
Tech, employee education key to mitigating risk
According to security advisors, companies can take steps to minimize the risk of unauthorized access to confidential information.
Vilquin pointed out that in order to devise a security strategy to address the issue, organizations must first know where their sensitive data sits, who has access to it and the means of access. They can then source suitable technology to help enforce processes and protect corporate data from careless or malicious staff or external parties.
For instance, "root" or "administrator" for operating systems typically provides access to virtually everything in a system. Companies may consider additional tools to ensure segregation of duties "even at the privileged user level", he said.
Shared accounts, he added, must be eradicated or highly controlled using password management software to ensure only one user utilizes the account at any time as this enforces accountability.
Tools to prevent data loss or misuse also need to be in place to control the access, usage and flow of information.
Vilquin explained: "Relationships between people and information change with their roles. For instance, it may be legitimate for the CFO to access financial reports and e-mail them, but while the system administrator could access them because of his role, he probably [should not be] authorized to e-mail them or make copies of them."
At the end of the day, he noted, an organization's goal should be to "make it harder" for people with ill-intent to achieve their objectives and control employee actions to prevent mistakes. Any systems implemented ought to help automate the enforcement of controls in such a way that disruption is minimum to people performing their jobs legitimately, he added.
Gerry Chng, Ernst & Young's partner for IT risk and assurance, pointed out that organizations face a "daunting task" in data protection given the sheer volume of information as well as the rate at which new data is created.
As such, Chng said they ought to prioritize their efforts and protect crucial data, which they can identify using a business impact analysis.
He added that companies should also review access rights granted to individuals as employees are commonly given more than necessary to get the job done.