Those results suggest that keeping encryption keys, administrative passwords and other IT security elements from being under the control of a single employee is possible, and even practical, but that too many companies aren't following up on it. And last month brought a reminder of how big a problem that can be: A judge ordered a former San Francisco network engineer to pay $1.4 million in restitution for locking city IT managers out of the city's network for 12 days.
It appears that the only thing standing between this scenario and many retailers may be the goodwill of IT staffers. According to the results of the survey released by Venafi, which polled 500 IT security specialists at a European security conference in April, 36 percent said they could essentially do what Terry Childs did by refusing to turn over encryption keys. Thirty-one percent said they could take the keys with them after they quit and still access sensitive information remotely. And 43 percent said if they left the company they could still wreak havoc on its networks.
Again, in each category, most of the security people said that type of problem didn't exist in their companies. The organizations with the security holes are in the minority—but they're an uncomfortably sizable minority. Yes, those results come from Europe and they're not broken out by the industries these IT security people come from, so there's no way to know how many work for retailers. For that, we've just got one recent data point: the Gucci network engineer who was indicted in April after he was fired and then allegedly blocked access by Gucci to documents and E-mail for nearly 24 hours, deleted other documents and E-mails, deleted virtual servers and cut off E-mail access to both corporate and Gucci stores for most of a day. Total estimated cost: more than $200,000.
Is that a common occurrence? Of course not. But it probably happens far more often than is reported, because companies prefer to handle such problems quietly. That's not only because businesses want to avoid bad corporate publicity. Whenever an IT staffer goes rogue, there's usually a security hole big enough to drive a getaway car through. And that fact reflects whether it's a single person in control of passwords or encryption keys, sloppy procedures on the part of support staff (that Gucci admin allegedly managed to get a VPN token activated weeks after he was fired) or some other failed security policies and procedures.
But if a third of IT security people say those types of conditions exist at their companies, it's a cry for help. They're obviously not planning on taking advantage of those problems (otherwise they'd be hiding the security issues, not talking about them in a survey). They also apparently can't do anything about the problems by themselves.
Retailers are pretty good about handling payment-card data, because they have to be—PCI failure costs money with every transaction. Standards are lower for securing other business data, especially customer data in CRM systems, which has now become the target for a string of recent intrusions—ranging from Epsilon to Sony. Internal rules for handling things like encryption keys and administrative passwords? They're way down on the list of concerns.
They shouldn't be, though. You have to be able to trust your IT security team. They have the ability to do more damage than anyone else in your organization, which means they can potentially steal anything, lock down anything or cripple everything in your IT infrastructure. But if paranoia is the hallmark of a security person, then these are the very people who will understand best why you can't afford to trust them completely.
And when one in three of them say they can hold the business hostage, you can be pretty sure they don't want to be that type of threat.