The Ponemon Institute and Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, today released new data on the direct business impact on global organizations from unsecured cryptographic keys and digital certificates in the 2015 Cost of Failed Trust Report: When Trust Online Breaks, Businesses Lose Customers. The newly released data from a survey of over 2,300 global IT security professionals reveals how unprotected and poorly managed keys and certificates result in a loss of customers, costly outages, failed audits, and security breaches.
Earlier this year, the Ponemon Institute and Venafi published research on the risks global businesses face from attacks using keys and certificates in the 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point. Consensus among global survey participants from Australia, France, Germany, UK, and the US was that the system of online trust was at the breaking point. Unpublished data from the survey is now available in this new report that shows businesses around the globe are suffering the damaging impacts of unsecured keys and certificates.
- When trust online breaks, businesses lose customers: Nearly two-thirds (59%) of respondents admitted to losing customers because they failed to secure the online trust established by keys and certificates, with an average cost of $15 million per outage.
- Critical business systems are failing: An average of over 2 certificate-related unplanned outages have been reported per organization over the last 2 years.
- Businesses are failing audits: On average, organizations failed at least one SSL/TLS audit and at least one SSH audit within the last 2 years.
“When businesses fail to properly secure and manage their keys and certificates, there is a direct financial impact with lost customers and lost revenue,” said Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi. “Every business relies on the trust provided by keys and certificates to operate, even if they don’t realize it. That’s why it’s imperative that IT ops and IT security teams conduct regular audits to locate all the certificates and keys they are using, determine expiration dates, and then put proper policies in place to avoid data breaches, unplanned outages, and failed audits.”
From online banking and mobile applications to the Internet of Things, everything IP-based depends upon a key and certificate to create a trusted connection, and our reliance on keys and certificates continues to grow with increased use for SSL/TLS, as well as mobile, WiFi, and VPN access. This increased reliance causes a dramatic increase in risk for availability, compliance, and security. However, the amount of risk is not equal across these areas—the security risks dwarf the availability and compliance risks nearly 7 to 1, with $53 million over the next 2 years in security risk compared to $7.2 million in combined compliance and availability business risks.
When asked about the challenges of protecting and managing keys and certificates, 54% of the IT security professionals surveyed said they don’t know how many keys they have, where they are located, or how they are used. This is up from 50% two years ago. However, most security analysts believe this number to be grossly underestimated. Similarly, 54% said they lack policy enforcement and remediation for keys and certificates. Organizations must address these challenges which underlie the security, availability, and compliance risks caused by unsecure keys and certificates.
“We hope this report will help IT security and executive teams realize the major risk that unprotected and poorly managed cryptographic keys and digital certificates are posing to enterprises,” said Larry Ponemon, Chairman and Founder of The Ponemon Institute. “Keys and certificates are broadly deployed and are critical for creating trusted connections and securing businesses. It’s clear that this report data underscores a symptom of a larger security problem — if you don’t know where your keys and certificates are, can’t continuously monitor them, and are unable to automate their secure lifecycle, then you simply can’t protect them. Ultimately, this is why online trust is broken.”
About Ponemon Institute
Ponemon Institute conducts independent research and education that advances information security, data protection, privacy and responsible information management practices within businesses and governments throughout the world. Our mission is to conduct high quality, empirical studies on critical issues that affect the protection of information assets and IT infrastructure. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. www.ponemon.org.