It’s not what you know. It’s not even just who you know. It’s who you know who knows how to monitor e-mail, and has the access.
The Globe and Mail this week published a story about an investigation by regulators into an IT analyst at TD Securities who was admitted to using his e-mail privileges to obtain insider information which he used to make trades under a relative’s name. The story suggested this kind of problem is more rampant than we think, and that IT departments may see managing a network as an illegal fast track to financial well-being.
I was interested to read through the 33 comments this story generated. Some of the responses were obvious. There were those who said IT staff should be subject to police background checks before they are hired. Others debated the power of various encryption techniques. Some said there were too many IT people who weren’t “real” engineers and therefore would inevitably be up to no good. Then there was this one, which came from someone who decided to style themselves A. Nonymous:
“IT people are often the lowest in the pay and social hierarchy of any company. They do however, exercise the most ‘administrative’ power on peoples desktop (sic), so in order to compensate for lack of pay, lack of respect, etc, what else is there to do but snoop?” he or she asked. “A lot of IT people feel they have the right to inspect data going across ‘their’ network. Certification can teach a lot of skills, but one can't really teach ethics.”
I can’t help but think that industry associations like CIPS, which has for years maintained a highly reputable Code of Ethics in conjunction with its I.S.P. certification, would disagree. I wondered about that other point, though. Does maintaining and developing IT infrastructure give those involved such a sense of ownership that they feel entitled to do what they want? Is it a trade-off that stems from how they are valued (or not valued) by employers?
Of course, in some cases IT departments are specifically tasked with inspecting data, or setting up and monitoring the policies that govern who has access to what. This includes identity management systems as well as business process rules in a variety of enterprise applications. One of the prescriptions offered in the Globe article was to tighten the gateways to privileged information, but that won’t be possible if IT departments can’t be trusted.
The other thought that comes to mind involves associations that some security experts have made between the economic downturn and the upswing in online fraud, cyber-attacks and other forms of IT-related crime. This concern primarily seemed limited to external hackers, but perhaps inside jobs will escalate, too. If that’s the case, though, I would think the economy has only stimulated criminal tendencies among IT staff that were already there just waiting to come out. You may not be able to teach ethics, but you can’t really upgrade them, either.