The Systems Administrators Guild of Australia (SAGE-AU) has released a fiery statement defending the systems administrator role against a claim that almost half of all IT email administrators and IT managers look at their managers' emails regularly.
The Sydney Morning Herald published quotes from Earthwave's CEO Carlo Minassian, who said, "We know that 40 per cent of IT email administrators and IT managers look inside their manager's, their board's, their chief information officer's, and chief executive officer's emails regularly and read their email."
SAGE-AU pointed out that Earthwave, which provides security services and advice to companies looking to outsource systems, would have a vested interest in companies believing that their IT admins are reading company emails.
SAGE-AU admitted that IT administrators do have access to "vast ranges" of sensitive information, and that they sometimes need to use that access to do their jobs. However, SAGE-AU said that the number of system admins spying on emails without permission would be much lower than 40 per cent. SAGE-AU said that the rate would likely be the same as that for other crimes listed in Australian Bureau of Statistics (ABS) reports, which are in low-digit percentages.
"Further, modern information systems provide multiple audit trails, which demonstrate both authorised and attempted or actual unauthorised access to any form of data on a computing system. Actions which result in data access by any user, including system administrators, are logged at time of access and recorded in security log files. Access by administrators to private data of the scale suggested in the article would simply not go unnoticed," the organisation said in a statement.
SAGE-AU members have to commit to a code of ethics, it said, which includes "appropriate use of an employer's computing assets" and the need to uphold privacy for material on company systems. However, not all employees read company codes, as shown by the recent Independent Commission against Corruption (ICAC) hearing looking into the conduct of a University of Sydney manager, who said that he often signs things without reading what they say.
Minassian has stood by his information, saying that the 40 per cent figure had come from investigations using the company's Real-time Threat Analysis and Incident tool, with a sample size of about 400 medium- to enterprise-sized companies. When the tool was being used less widely, the figure had been higher, he said.
The figure also excluded one-off clients that had contacted the company to investigate the issue, as well as email snooping that is difficult to detect, such as reading email from backup tapes or from the company's file system.
Along with looking at logs to checking email snooping, the tool also carries out other policing, to check, for example, when a sales employee copies a customer database before leaving the company, or when a developer takes code.
Minassian backed up his numbers with a Ponemon Institute study (PDF) conducted in December 2011 and sponsored by HP. It surveyed 5569 IT operations and security managers in 13 countries, including Australia, where 64 per cent of those surveyed believed that those with privileged access rights feel that they are allowed and empowered to access things, and 61 per cent believed that those with privileged access rights look at sensitive or confidential data because of their curiosity.
Minassian said that it is natural for the 60 per cent of administrators who are being ethical to be upset by the figure, as it questions their integrity.
He also agreed with SAGE-AU's comment that audit trails are there to detect such intrusions, but said that managing security takes time and money.
"Lack of resources and leadership makes it difficult to address the insider threat. Speaking with our clients, we have found out that the number one barrier to addressing this risk is lack of sufficient resources, followed by lack of leadership and finally ownership of managing insider threats," he said, adding that it doesn't make a lot of sense to have the same people that provide the services monitoring performance.
"Insiders have two things that external attackers don't: privileged access and trust. This allows them to bypass preventative measures, access mission-critical assets and conduct malicious acts, all while flying under the radar unless a strong incident-detection solution is in place," he said.
According to SAGE-AU president Stephen Gillies, hiring the right staff is critical.
"Employers should seek to employ staff with a strong sense of ethics who recognise their professional duties as reflected by their membership of an appropriate professional organisation," he said.