Monday, May 30, 2011

STOP! - LOOK! - OBSERVE! Bad People Around

Sometimes we get too technical that once we protect ourselves from external threats we feel confident and safe already. And we become too trusting to the people within our organization. Well, stop, look around and observe vigilantly.

Just recall the most recent $10M incident in Bank of America, where an insider sold customer data to outsiders. Yeah, an insider did it!


A survey showed that 40% of IT staff admit that they could hold their employers hostage - even after they’ve left for other employment - by making it difficult or impossible for their bosses to access vital data by withholding or hiding encryption keys.

A third of the Venafi survey respondents said that their knowledge of and access to encryption keys and certificates, used for both system authentication and data protection, means they could bring the company to a grinding halt with minimal effort and little to stop them. This is due to lack of oversight and poor management of their organisation’s encryption keys.

They claim that even after they have left they still could cause havoc with their knowledge of the encryption keys, shared passwords and weak controls. 40% of respondents admitted that they would still have access to vital information and could manipulate it to their own ends—both to their company's financial and reputational detriment.

31% of respondents astonishingly said that they could still access organisational data because they could easily retain the encryption keys when they left and access the information remotely.

Finally, 24% of respondents to the survey admitted that their fear of losing encryption keys is what is deterring them from investing in encryption key and certificate solutions to protect digital assets and secure sensitive system communications.

The survey shows that 82% of companies now use digital certificates and encryption keys, however, 43% admit to being locked out from their own information - because people have left the organization or keys are lost - and 76% would use automation if they knew it existed.

These same companies are unaware of how to manage their keys and certificates, leaving them exposed to unplanned system outages, security risks and reduced access to critical data. 

Jeff Hudson, Venafi CEO, said: “It’s a shame that so many people have been sold encryption but not the means or knowledge to manage it. They have found out the hard way—after being locked out from their own information—that they need an automated solution to manage the thousands of keys and certificates they have. Once the data's protected with encryption, the key becomes the data and the thing that must be managed and protected. Key Encryption is only half the solution. IT departments must track where the keys are and monitor and manage who has access to them. What this survey reveals is that organisations need to quickly come to terms with how crucial encryption keys are to safeguarding the entire enterprise as well as the heightened need for automated key and certificate management with access controls, separation of duties and improved polices. It’s no longer rocket science. Yet recent, costly breaches at Sony, Epsilon and elsewhere reinforce the need for both more encryption and effective management. There are some great solutions on the market that can manage and automate these assets at a click of a switch.”

Get the complete survey information from here.


Editor's Note: Cross post from Help Net Security.

No comments:

Post a Comment