Venafi: IT Staff have more access to data than their boards
December 2011 by Venafi
Venafi announced the second set of findings from its InfoSecurity 2011 survey. Respondents from over 500 IT professionals reported that chief executive officers of modern companies often lack access to their own sensitive data. When asked who had the easiest access to their company’s most sensitive data, 65 percent said that the IT department had the easiest access, with the CEO at 30 percent, management at 8 percent, the HR department at 7 percent and legal at 5 percent.
The survey also revealed that if the person responsible for managing an organisation’s encryption keys were to leave, 23 percent worried that they would not have access to valuable, encrypted data. This survey follows on from Venafi’s last survey, which found that 40 percent of IT staff admitted that they could hold their employers hostage-even after leaving for other employment-by withholding or hiding encryption keys, making it difficult or impossible for management to access vital data.
A third of survey respondents said that their knowledge of and access to encryption keys, coupled with their organisations’ lack of oversight and poor key and certificate management controls, meant they could bring the company to a grinding halt with minimal effort and little to stop them. Organisations have deployed multi-layer defense systems designed to protect against threats from entering the network and sensitive information from leaving it, yet breaches still occur. The problem is not technology but an inability to manage technology correctly. The survey is an additional reminder that CEOs and boards of directors have not taken appropriate action to protect critical information, and that they continue to allow their IT departments to dictate what data they have access to and how easy it is to access the valuable and often regulated data.
A surprising 24 percent said that the fear of losing encryption keys was deterring them from investing in encryption technologies. This shows that recent major data breaches have almost paralysed some organisations, which are afraid to improve their IT security for fear of making things worse-or just do not trust their IT departments to handle encryption technology effectively.
"Encryption management has become a big issue for companies worldwide. Encryption is the last line of defense in protecting data against loss or compromise," said Jeff Hudson, Venafi CEO. "Companies are finding out how important encryption is when they have experienced a huge data breach because they weren’t using encryption. Then they find out that when they deploy encryption they have another big problem and that is managing the encryption keys. Encryption is only half the solution - you need to know where the keys are and they find that the only way to manage the keys is with an automated certificate and key management system. Once the data’s protected with encryption, the key becomes the data and the thing that must be managed and protected. What this survey reveals is that organisations have to quickly get to grips with automating key and certificate management-the keys are crucial to safeguarding your whole enterprise."
The survey is based on a sample of 500 IT security specialists taken at InfoSecurity 2011.