Most British IT administrators would steal company data if they were laid off tomorrow, according to a new report. The stark warning comes at torrid time for European IT security specialists as a seemingly never-ending roll-call of personal data blunders lengthens every month and EU legislation looms.
In recent weeks, a memory stick containing the personal details of almost 130,000 criminals was reported missing in the UK and the bank details of more than a million Britons were found on a server sold on eBay. In Norway, the national tax office accidentally sent the tax ID numbers of its whole population to the media. And in Germany data protection officials uncovered a scam where up to 20 million pieces of data collected by a call centre, including bank account details, dates of birth and addresses, had been sold.
The survey of 300 IT administrators in the UK by Cyber-Ark Software is, perhaps, alarmist. After all, it is in IT administrators interests to scare their employers at a time of economic uncertainty, especially if they can do so via anonymous questionnaire. But it does highlight heightened concerns about data accessibility and encryption.
Certainly, Cyber-Ark boss Udi Mokady has a point when he says: "Most company directors are blissfully unaware of the administrative or privileged passwords that their IT staff has access to which allows them to see everything that is going on within the company. These privileged identities, which lie on hundreds of servers and applications, very rarely get changed as it's often considered too much hassle. When people leave the organisation, they can often still access the network using these passwords to acquire highly sensitive data."
One-third of the respondents in the survey said that they believe data leakage is rife within their organisations via USB sticks, iPods, PDAs, laptops or simply over email. Even if this figure is only partially accurate, it adds more pain to IT security management when one considers that European companies could soon be forced to tell customers if their personal data has been lost or stolen.
The proposals are part of a new ePrivacy Directive that has been proposed by the European Commission. MEP Malcolm Harbour has told journalists that he is confident that the data breach legislation will be ratified by the European Parliament.
"It will be mandatory for service providers to disclose to customers if their personal data has been breached," he said. "The [European] Commission said that this will now become a requirement. The [European] Parliament took a rather dim view of this rather sketchy proposal. [But] the general view now is that it's a practical and workable proposal."
The new legislation will apply to any "public web service", a quintessentially EU-type catch-all term that covers ISPs, online retailers and anyone in-between. Interestingly, it looks like state IT services will be excluded from the rules, presumably allowing for the list of governmental data blunders to grow even longer.