IT pros usually know where the bodies are buried. Sometimes that's because they're the ones holding the shovel.
We asked InfoWorld readers to reveal the dirtiest secrets of IT -- the less-than-white lies and dark sides of technology that others may not be aware of. We then ran those "secrets" through a BS detector, fact-checking them with experts in the relevant field. In some cases the experts concurred, in other cases they did not.
Do sys admins wield power far beyond the CIO's worst nightmares? Are IT employees routinely walking off with company equipment? Can the data you store in the cloud really disappear in an instant? Are you paying far too much for tech support?
Dirty IT secret No. 1: Sys admins have your company by the short hairs
When the IT fox is guarding the data hen house
Anyone who's followed the Edward Snowden story knows what kind of damage a sys admin with an agenda can do. But even IT people may not realize the full range of unfettered admin access and the kinds of pain it can bring.
"There are no secrets for IT," says Pierluigi Stella, CTO for managed security service provider Network Box USA. "I can run a sniffer on my firewall and see every single packet that comes in and out of a specific computer. I can see what people write in their messages, where they go to on the Internet, what they post on Facebook. In fact, only ethics keep IT people from misusing and abusing this power. Think of it as having a mini-NSA in your office."
This situation is more common than even most CIOs are aware of, says Tsion Gonen, chief strategy officer for data protection firm SafeNet.
"I'd estimate this is true in 9 out of 10 organizations," he says. "Enterprise security is only as secure as the ethics of trusted IT administrators. How many of them have sys admins who abuse their access privileges is harder to say -- but enough to hit the news almost every week. The scariest thing is that the same people who present the greatest risk are often the very people who approve access."
David Gibson, VP of Varonis, a data governance solution provider, agrees that admins are often able to access data they shouldn't without being noticed, but he puts the number closer to 50 percent. He adds it's not just the admins; most users have access to far more data than they need to do their jobs.
He says the solution comes down to getting a better handle on two things: reducing access to get to a "least privilege" model, and continuous monitoring of who is accessing data.
"The organization needs to be able to see who has access to what data, who the data belongs to, and who has been accessing which files," he says. "From there, IT can involve the data owners directly to make informed decisions about permissions and acceptable use."
Dirty IT secret No. 2: Your employees may be helping themselves
When "retired" IT assets enjoy a surprise second career
Old tech equipment rarely dies, it just finds a new home -- and sometimes, that home is with your IT employees.
"Employee theft of retired equipment is commonplace," says Kyle Marks, CEO of Retire-IT, a firm specializing in fraud and privacy compliance issues relating to IT asset disposition. "I have never met someone from IT that doesn't have a collection of hardware at home. To many, taking retired equipment is a victimless crime. Most don't view it as a security threat. Once equipment is retired, they act like it is fair game."
The problem with taking equipment bound for the scrap heap or the recycling bin is that it often still contains sensitive data, which if lost could result in massive liability for the company that owns the equipment, says Marks. And, of course, it is still theft of company equipment.
"Theft and fraud are serious situations that create massive privacy liability," he adds. "A capricious IT insider can have costly consequences if left unchecked. Yet in most cases, the people responsible for making sure assets are disposed of properly -- with all data removed -- are in IT. Organizations need to have a 'reverse procurement' process that assures assets are retired correctly."
But does every IT employee really steal old hardware? A veteran of the IT asset disposition industry, who asked to remain anonymous, says the problem isn't nearly as commonplace as Marks makes it out.
"I'm not saying that theft is nonexistent," he says. "I am simply stating that I have never met anyone in the industry with that particular mind-set."
Most equipment that goes missing is simply lost for other, less nefarious reasons -- like it was shipped to the wrong place, he adds.
"It sounds like a bad generalization when in essence a lot companies pride themselves on providing secure services and act in a way that is completely honest and full of integrity."
Dirty IT secret No. 3: Storing data in the cloud is even riskier than you think
All the security in the world won't help when Johnny Law comes knocking
Storing your data in the cloud is convenient, but that convenience may come at a high price: the loss of your data in a totally unrelated legal snafu.
"Most people don't realize that when your data is stored in the cloud on someone else's systems alongside the data from other companies, and a legal issue arises with one of the other companies, your data may be subject to disclosure," says Mike Balter, principal of IT support firm CSI Corp.
In other words, your cloud data could be swept up in an investigation of an entirely unrelated matter -- simply because it was unlucky enough to be kept on the same servers as the persons being investigated.
The classic illustration of this principle occurred in January 2012, when U.S. and New Zealand authorities shut down Kim Dotcom's MegaUpload file locker in January 2012. Along with a trove of allegedly pirated movies, the authorities confiscated the data of thousands of law-abiding customers and refused to return it. Whether those customers will ever get their data back remains unresolved.
"The risk of seizure is real," confirms Jonathan Ezor, director of the Touro Law Center Institute for Business, Law and Technology. "If there is any legal basis for law enforcement or other government officials to seize storage devices or systems -- which may require a warrant in certain circumstances -- and those systems contain data of both suspects and nonsuspects, all might be taken. Ultimately, any time an organization's data are stored outside of its control, it cannot prevent someone from at least gaining access to the hardware."
Users who want to protect themselves against this worst-case scenario need to know where their data is actually being kept and which laws may pertain to it, says David Campbell, CEO of cloud security firm JumpCloud.
"Our recommendation is to find cloud providers that guarantee physical location of servers and data, such as Amazon, so that you can limit your risk proactively," he says.
Encrypting the data will decrease the chance that anyone who seizes it will be able to read it, adds Ezor. Another good idea: Keep a recent data backup nearby. You never know when it might end up being your only copy.
Dirty IT secret No. 4: Your budget's slashed, but the boss has a blank check
RFPs are for peons
In virtually every midsize or larger organization, there are two ways to get purchases approved, says Mike Meikle, CEO of the Hawkthorne Group, a boutique management and information technology consulting firm. There's the official purchasing procedure -- a time-consuming process that forces you to jump through more flaming hoops than a circus act. And there's the special procurement diamond lane, available only to a special few.
"People at the senior leadership level have their own procurement pipeline," he says. "What takes an IT person eight months to obtain through official channels these execs can get in a few weeks, if not sooner. It's what I call the Diamond Preferred plan. I've never worked with an organization in government or private industry that didn't have a secret procurement path."
The purpose of the official procurement process is to make it harder for employees to spend the company's money, says Meikle -- unless, of course, they know the secret handshake. Unfortunately, he adds, the CIO is usually not a member of this club, which means large tech purchases can be made without serious cost benefit analysis or consideration of IT's strategic vision.
"They'll go out to lunch, a vendor will whisper sweet nothings in their ear, and the next thing you know they've spent half a million on a mobile application management solution, not realizing you already had one," he says. "Now you have two."
Not so, contends a private consultant to the military and Fortune 100 companies who asked to remain unnamed. While there are cases where organizations may bypass standard procurement procedures, it's almost always for something the IT department needs right away and doesn't want to waste weeks cutting through red tape to get it, he says.
"Nontechnology executives don't know enough about IT to make a large purchase decision," he adds. "If a senior executive circumvents the procurement process, that purchase order has to have a signature on it before the supplier will ship it. If anything goes wrong with that technology, the executive would be accountable and traceable. That's like kryptonite to those guys."
Dirty IT secret No. 5: You're getting the short end of the customer support stick
That technician is just another script kiddie
Stop us if this sounds familiar: You're on the phone with a support technician halfway around the globe, but you get the distinct impression they know less than you do and are just reading from a script. Guess what? They probably are.
"IT support is a cheap commodity," says Tim Singleton, president of Strive Technology Consulting, a boutique support firm catering to small and midsized businesses. "Tools that do most of it for you are free, and computers require less knowledge now than they used to. Your neighbor's daughter or the tech-savvy guy in accounting can probably fix your computer as well as any IT company."
But some say that assessment is too broad. While that may be true for the simplest problems, it's not true for more complex ones, notes Aramis Alvarez, SVP of services and support at Bomgar, which makes remote IT support solutions for enterprises.
"The problem with calling IT support a 'cheap commodity' is that not every problem is created equal," says Alvarez. "Some basic issues can be diagnosed by any tech-savvy person, but difficult ones, such as viruses, cannot. Your neighbor's daughter may be armed with enough knowledge to be dangerous, but she could end up destroying the data on your computer."
Then you may end up paying much more later to clean up the mess, adds Joe Silverman, CEO of New York Computer Help -- which often happens when companies cut corners by shortchanging or overburdening internal IT support.
"We have gone to many NYC offices and apartments to see the leftover tracks of a shoddy computer repair or IT job from another company, family member, or friend who acted as the go-to IT guy," he says. "The guy in accounting who sometimes takes care of computer issues is most likely too busy and too inexperienced to fix a failed hard drive, motherboard, or power supply. If the network or server crashes, do you want to really depend on your accounting guy to get the job done, or a senior network engineer with 20 years of experience?"
Dirty IT secret No. 6: We know a lot more about you than you think
Going all in on data collection
Think the NSA has you under surveillance? They're punks compared to consumer marketing companies and data brokers.
One of the biggest offenders are casinos, says J.T. Mathis, a former casino database manager and author of a self-published expose about his experience titled, "I Deal to Plunder: A Ride Through the Boom Town." When you enter a casino, you're gambling with more than just money -- you're risking your most personal data. Mathis estimates that his former employer's marketing database contained the names of more than 100,000 active and inactive gamblers.
"From the moment you enter the casino, everything you do is tracked," says Mathis. "If you sit down at a slot machine, they know exactly where you're at, how many times you've pulled the handle, and how much money you're putting in. They know you like to eat at 4:30 and order the lobster platter. They know your favorite cigarettes and wine and whether you watched porn in your room. And when you arrive during the summer they know the lady you're with is not your wife, so employees make sure to call her Cindy and not Barbara."
Former casino executive and LSU professor Michael Simon confirms Mathis' story. But, he adds, it's not that much different than the kind of data collection performed by companies like CVS, PetSmart, or Amazon.
"I teach an MBA class on database analysis and mining, and all the companies we study collect customer information and target offers specific to customer habits," he says. Simon, author of "The Game of My Life: A Personal Perspective of a Retired Gaming Executive," adds, "It's routine business practice today, and it's no secret. For example, I bring my dog to PetSmart for specific services and products, and the offers they send me are specific to my spending habits, and I like that. PetSmart on the other hand gives me what I want instead of wasting time sending me stuff I won't use like discounts on cat food or tropical fish."
One thing that is different: When Mathis was laid off in May 2012, he still had copies of the database in hand. When he tried to return it, he was out of luck -- the casino refused to return his calls. Talk about gambling with your data.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.