Could the IT Staff Hold Your Company Hostage?

Tuesday, May 24, 2011



Infosecurity Europe 2011 has released a study that indicates as many as forty percent of IT staff respondents admit they could in theory hold their company "hostage" even after they have ceased to be actively employed.

Survey participants revealed that weak security controls, shared passwords and their knowledge of the company's data encryption keys would allow them to cause serious problems by making it difficult to access vital data, if so inclined.

"A significant number of IT staff could cause chaos for their organizations with their knowledge of and access to digital certificates and encryption keys due to lack of management controls and no separation of duties," the report concludes.

Venafi InfoSecurity 2011 market survey results:

  • 82 percent stated that the company they worked for used digital certificates and keys
  • 43 percent said that they had tried to open or access a document or file but failed because it was encrypted
  • 6 percent said that they could hold their organization to ransom if they wanted to by holding back access to encryption keys, 49 percent said they could not and 15 percent said it was not applicable to them
  • 31 percent said that if they left, they could take the keys with them and still access sensitive information remotely, 53 percent said they could not and 15 percent said it was not applicable
  • 43 percent said that if they left the company they could still cause havoc with their knowledge of digital certificates and keys
  • 76 percent said that they would use a tool to automate the management of encryption keys while 12 percent said they would not use it

The crux of the problem lies in the inability of organizations to adequately manage as many as thousands of encryption keys effectively.

“It’s a shame that so many people have been sold encryption but not the means or knowledge to manage it. They have found out the hard way—after being locked out from their own information—that they need an automated solution to manage the thousands of keys and certificates they have. Once the data's protected with encryption, the key becomes the data and the thing that must be managed and protected," said Venafi CEO Jeff Hudson.

Hudson believes many companies are unaware of commercial solutions available that would allow proper management of encryption keys and digital certificates, and that proper encryption management could have prevented some of the fallout from recent corporate breach events.

"Key Encryption is only half the solution. IT departments must track where the keys are and monitor and manage who has access to them. What this survey reveals is that organisations need to quickly come to terms with how crucial encryption keys are to safeguarding the entire enterprise as well as the heightened need for automated key and certificate management with access controls, separation of duties and improved polices. It’s no longer rocket science. Yet recent, costly breaches at Sony, Epsilon and elsewhere reinforce the need for both more encryption and effective management. There are some great solutions on the market that can manage and automate these assets at a click of a switch," Hudson explains.

The complete Infosecurity Europe 2011 survey results are available here.

Possibly Related Articles:
Data Loss Encryption breaches Enterprise Security Management Insider Threats Digital Certificates Employees head
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.