My colleague Tito de Morais, a security-awareness expert in Portugal has kindly allowed me to reprint some information he sent me that, as he said, "stresses the importance of background checks or perhaps psychological evaluations of personnel who can access critical or personal information."

He pointed me to the results of a survey released by security software vendor Cyber-Ark Software. The report has particular significance given the events of last week, when a network administrator for the City of San Francisco allegedly locked up the city's computer systems.

Here are some highlights of the report:

• 300 senior IT professionals, mostly from companies with more than 1,000 employees, responded to the survey questions carried out by Cyber-Ark.
• About half admitted to accessing “information that was not relevant to their role” using administrative passwords.
• About a third admitted to accessing confidential information such as salary details, personal e-mail, and meeting minutes.
• About a third of the administrative passwords are changed only quarterly and about 9% are permanent, “giving access indefinitely to all those who know the passwords, even when they've left [their employer].”
• Half the respondents said they needed no authorization from anyone else to use the privileged accounts that granted access to information they had no business accessing.
• Almost three-quarters of the companies in the sample set used insecure channels for transferring confidential data to business partners: about a third used e-mail, about a third used couriers, about a quarter used FTP and 4% used postal mail. Apparently “12% of these senior IT personnel who were interviewed also choose to send cash in the post!”

Tito de Morais continued his commentary to me as follows:

“This reminded me of a case I followed closely in which a tech support guy had access to a PC where the payroll Excel file was stored. The file was used to process salaries and it contained banking details about where the salaries were supposed to be deposited every month. The tech support guy just inserted his bank account details on a director’s record and started receiving the director’s salary each month. The scam lasted some six months – until the day the bank manager called the director because the account lacked funds!”

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.