Encryption is often seen as an absolute solution to data leakage within an organization. A recent study [PDF] of one of the largest users of email encryption — the federal government — has revealed, however, cryptography can contribute to data leakage as well as control it.
Since the massive leak of sensitive documents to WikiLeaks in 2010, the use of encryption by the federal government has exploded. It’s estimated that 83 percent of all federal agencies have given their users the ability to encrypt outbound email on their desktops.
That’s proven to be a mixed blessing, according to the study of 203 government information security and email managers conducted by MeriTalk and commissioned by Axway. Some 80 percent of the security managers confess that they fear the loss of data through encrypted email. In addition, more than half those managers (58 percent) maintain that encryption makes it harder to detect data leaving their baliwicks.
Despite the increased use of encryption by their email systems, only one in four of the managers said they would grade their systems with an “A.”
Nevertheless, most of the agencies (84 percent) said they felt their systems were safe and that their email gateways supported inspection of desktop-encrypted email. Yet a significant number of managers maintained that email encryption was a security threat, although that was a belief more widely held by information security managers than email managers.
For example, 80 percent of information security managers said they were concerned with the possibility of data loss prevention violations being embedded in encrypted emails, while only 36 percent of email managers acknowledge such concerns.
In addition, more than half the security managers agreed that encryption made it harder for them to detect when valuable or sensitive information was leaking from their agencies (58 percent) and that it made it harder to track down information after it left her organizations (61 percent). Only 47 percent of email managers shared those concerns with the security pros.
Of all the ways that sensitive information can leak from their organizations, standard work email was chosen by almost half the managers (48 percent) as the top way it happens, followed by agency-issued mobile devices (47 percent), USB flash drives (40 percent), personal email (38 percent), personal mobile devices (33 percent) and web-based work mail (23 percent).
For a majority of the security managers (51 percent), the encryption problem would be getting worse, not better, over the next five years, according to the survey.
When asked about the biggest barriers to securing government emails systems, the problems cited by the managers are the same heard by administrators in the private sector. Almost half (46 percent) said budget constraints prevented them from securing their systems adequately. Other barriers to security identified by the managers were employees not adhering to security policies (45 percent) and the rise of mobile technologies (30 percent).
The lessons learned by federal agencies about email encryption can be valuable to the private sector, too. “Email encryption is an important tool for protecting sensitive information, but agencies must be sure that encryption is not making outbound emails so opaque that sensitive information can pass through without detection,” survey sponsor Axway Senior Vice President Michael Dayton said in a statement.
“Agencies themselves may be providing the tools by which federal workers are leaking critical information –