Roughly 40 percent of IT workers believe they could hold an employer’s network hostage — even after leaving the company — by withholding or hiding encryption keys, according to a recent survey of 500 IT security specialists.
The study, released Monday, May 23, also revealed that a third of survey respondents were confident that their knowledge and access to encryption keys and certificates could bring a company to a halt with little effort. Conducted in April 2011, the survey was sanctioned by Venafi, a network key and encryption provider.
“It’s a shame that so many people have been sold encryption but not the means or knowledge to manage it,” said Jeff Hudson, CEO of Venafi, in a statement. “IT departments must track where the keys are and monitor and manage who has access to them. ... It’s no longer rocket science. Yet recent, costly breaches at Sony, Epsilon and elsewhere reinforce the need for both more encryption and effective management.”
On the public side, the city/county of San Francisco knows the perils of employees holding passwords hostage all too well. Last year Terry Childs, a former city network engineer, was found guilty of felony computer tampering for withholding passwords to the city's main computer network in 2008. Last week a superior court judge ordered Childs to pay $1.5 million in restitution to San Francisco.
Childs refused to hand over the passwords to the FiberWAN network, which handles computer traffic for about 60 percent of the city's departments, to his supervisors and to police.
Calum McLeod, Europe, Middle East and Africa director of Venafi, said that while the survey is not segmented between private- and government-sector responses, the statistics would run true for those in the governmental sector.
“There is nothing to say that government departments are any better at finding their [encryption] keys than anyone else,” McLeod said. “The private sector has more external governance in this area so there is an argument to say that government is worse.”
The survey also showed that while 82 percent of companies use digital certificates and encryption keys, 43 percent of respondents admitted that they’ve been locked out from their own information, because people have left or encryption keys were lost.
A copy of the survey’s executive summary is available on Venafi’s website.