My name is Mark Fullbrook, I'm the Director for the UK and Ireland for Cyber-ark and it was me that commissioned this survey.
Let me give you some feedback on how this survey was run.
We asked 300 people with Administrative privileges a series of questions at the Infosecurity Europe Show which took place in April in London. How did we know they had administrative privileges? Well we asked them of course!
Once we had established their suitability we asked them a series of questions. Things like:
"Have you ever used your administrative privileges to access information that was NOT relevant to your role?" (That was had over a 30% positive response rate)
"If you left your company tomorrow which of the following would you consider taking with you" - followed by a list of things like Company records, HR records of course, highlighting one which said NOTHING. (we had 88% of people choose somethign OTHER than NOTHING)
There were a few other questions of course, and we intend to publish this as a white paper, but I just want to address some of the responses on this site.
First of all, I find it amazing how many times admins respond to these types of survey with the view that it is the users fault that they have to set up back doors or that they do not need to be monitored because of some God given right to anonymity.
Cyber-ark produce software that provides companies with the ability to automate password changes on privileged accounts, whilst ensuring that Administrators and Privileged users get the full access they have always had. The alternative is to just trust your user base and (from our survey) whilst that is fine for 12 of your 100 Admins, it might be a little foolish for the other 88 (I'm being slighty sarcastic here - but I'm trying to keep in line with the tone of most of the responses!!)
We dont supply companies with software to monitor privileged access because most IT Admins and Privileged Users are good, we do it because every now and again, you are going to have a bad one....... and why give them the opportunity if you dont have to.
Feel free to get in contact with me if you want to here any more about the survey and please, feel free to visit us at Infosecurity 2009 and take the survey yourself, and then you can see if things turn out differently. Personally, I dont think they will.
Incidentally, to those that say "it was fixed" ZDNET responded to an earlier release centered around the "would you use your administrative privileges to access information NOT relevant to your role" question by running their own survey... Guess what? The results were exactly the same.
BIG SMILEY FACE because generally, Im a pretty happy guy..
(I just get a little excited when people say my company is lying)