I have to admit that this ArsTechnica article surprises and angers me:
A study conducted by security company Cyber-Ark indicates that a significant number of corporate IT personnel snoop sensitive data, and nearly 9 out of 10 would take company secrets and remote access credentials with them if they were fired. This could pose a serious security risk for many companies and expose them to industrial espionage and other dangers.
The results of the Trust, Security and Passwords study are based on a survey of 300 system administrators at the Infosecurity 2008 event in Europe. Of the study respondents, 88 percent admitted they would take sensitive data with them when leaving their current place of employment, and approximately one-third said that they would abscond with company password lists. That could be a serious cause for concern for companies that have complex and loosely secured technological infrastructure.
Cyber-Ark claims that one-third of companies participating in the survey experience data breaches and theft on a regular basis. Information is leaked to competitors through a multitude of vectors, including e-mail, portable devices, and USB thumb drives. More than a quarter are also the victims of internal sabotage.
I have worked for two of the Big Three automotive companies (Ford and General Motors) as well as a number of other companies where I had access to all sorts of sensitive data and information and not once did I ever consider stealing any of it. Not because of any possible consequences of such an action, but because it would be wrong to do so. I’ve worked at the General Motors Design Center in Warren where I saw all manner of prototype vehicles that car magazines would love to get the details on ahead of time as well as the Milford Proving Grounds where the prototypes were put through their paces. I worked in the Alpha Building at Ford Motor Company where literally gigabytes of data on whole car lines were stored on various PCs and network shares. When I was laid off from Ford, twice, I was seriously upset, but not once did I consider the possibility of taking anything with me.
Sure both companies had policies in place meant to make such thefts harder – certain workstations GM blocked writing to USB devices of any kind – but nothing that I didn’t have knowledge of how to circumvent and certainly nothing proactive enough to have stopped me had I wanted to take any data. I suppose I’m just too honest to think of such things. I have a sense of honor at the idea that I’m entrusted with the care and support of such data. It angers me that so many others would violate that trust because, at a minimum, it makes my job that much harder. Stupid and ineffective restrictions, like the blocking of USB devices, just end up getting in the way of fixing machines and just the fact that so many others are untrustworthy means I’ll be looked at with suspicion by association. Hell, it means I’ll be looking at my fellow colleagues with suspicion as well and that’s just not the sort of work environment I want to be in.
The fact that this survey was done by a security company probably means it’s somewhat inflated, but if it’s even remotely close to the truth it’s very upsetting indeed.