Former employees could hold companies hostage by keeping encryption keys, survey warns

A third of survey respondents said that their knowledge of and access to encryption keys means they could bring the company to a grinding halt with minimal effort and with little to stop them. The survey is based on a sample of 500 IT security specialists taken at InfoSecurity Europe 2011 in April of this year.

The survey shows that 82% of companies now use digital certificates and keys; however, 43% admit to being locked out from their own information because people have left the organization or keys are lost and 76% would use automation if they knew it existed.

“The thing that really jumped out for me is that just about every organization said that they don’t use an automated system for their certificate and encryption keys”, said Jeff Hudson, Venafi’s chief executive officer. “People are using certificates and encryption, but they are not managing or automating them in any formal, organized way”, he told Infosecurity.

Because certificates and encryption keys are not properly managed, company insiders could “do bad things”, he noted. “The underlying conclusion is that even though companies are using certificates and encryption, they are not always increasing their security because they are not managing the keys”, he stressed.

Companies could find themselves in a situation where the person responsible for overseeing confidential information left, with no systems in place to ensure that the data they were working on can be retrieved, Venafi noted. Of survey respondents, 23% admitted they would not be able to access their encrypted data – leaving them vulnerable to data breaches and loss.

“If you lose the key, you will never see the data again. Contrary to popular belief, there is no back door to encryption”, Hudson said.

A full 31% of respondents said that they could still have access to the company’s data because they could easily take the encryption keys with them when they left and access the information remotely. Finally, 24% of respondents to the survey admitted that their fear of losing encryption keys is what is deterring them from investing in encryption key and certificate solutions to protect digital assets.

“There is this very large underlying security problem with managing keys and certificates in organizations. And this survey points this out. If you don’t use the encryption technology, you’re at risk. But if you use it and don’t manage the keys properly, you are still at risk because the insiders can still have access to the keys and take the keys with them”, Hudson concluded.

What’s hot on Infosecurity Magazine?