The Ponemon Institute and Venafi released today the 2015 Cost of Failed Trust Report, the only global research to analyze the impact of attacks on the Internet system of trust. The research found IT security professionals around the globe believe the system of trust established by cryptographic keys and digital certificates, as well as the security of trillions of dollars of the world’s economy, is at the breaking point. For the first time, half of the more than 2,300 IT security professionals surveyed now believe the technology behind the trust their business requires to operate is in jeopardy. All of organizations surveyed had responded to multiple attacks on keys and certificates over the last two years.
Conducted in Australia, France, Germany, the United Kingdom, and the United States, the 2015 Cost of Failed Trust Report is the only research of its kind to examine the system of digital trust on which the world’s economy depends. The 2015 research reveals that over the next two years, the risk facing every Global 5000 enterprise from attacks on keys and certificates is at least $53 million (USD), an increase of 51 percent from 2013. For four years running, 100 percent of the companies surveyed said they had responded to multiple attacks on keys and certificates, and vulnerabilities like Heartbleed have taken their toll. Sixty percent of participants agreed their organizations must do a better job responding to vulnerabilities involving keys and certificates like Heartbleed.
“The overwhelming theme in this year’s report is that online trust is at the breaking point. And it’s no surprise. Leading researchers from FireEye, Intel, Kaspersky, and Mandiant, and many others consistently identify the misuse of key and certificates as an important part of APT and cybercriminal operations,” said Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi. “Whether they realize it or not, every business relies upon cryptographic keys and digital certificates to operate. Without the trust established by keys and certificates, we’d be back to the Internet ‘stone age’ – not knowing if a website, device, or mobile application can be trusted.”
The 2015 Cost of Failed Trust Report also revealed:
- As risk increases, so does the number of keys and certificates: Over the last two years, the number of keys and certificates deployed on infrastructure such as web servers, network appliances, and cloud services grew more than 34 percent to almost 24,000 per enterprise. The use of more keys and certificates makes them a better target for attack. Stolen certificates sell for almost $1000 on underground marketplaces, and doubled in price in just one year. Researchers from Intel believe hacker interest is growing quickly.
- Organizations are more uncertain than ever about how and where they use keys and certificates: Now 54 percent of organizations admit to not knowing where all keys and certificates are located and how they’re being used. This leads to the logical conclusion: how can any enterprise know what’s trusted or not?
- Security pros worry about a Cryptoapocalypse-like event: A scenario where the standard algorithms of trust like RSA and SHA are compromised and exploited overnight is reported as the most alarming threat. Instantly transactions, payments, mobile applications, and a growing number of Internet of Things could not be trusted. Coined by researchers at Black Hat 2013, a Cryptoapocalypse would dwarf Heartbleed in scope, complexity, and time to remediate.
- The misuse of enterprise mobile certificates is a lurking concern: The misuse of enterprise mobility certificates used for applications like WiFi, VPN, and MDM/EMM is a growing concern for security professionals. Misuse of enterprise mobility certificates was a close second to a Cryptoapocalypse-like event as the most alarming threat. Incidents involving enterprise mobility certificates were assessed to have the largest total impact, over $126 million, and the second largest risk. With a quickly expanding array of mobile devices and applications in enterprises, it’s no wonder why security pros are so concerned.
"With the rising tide of attacks on keys and certificates, it’s important that enterprises really understand the grave financial consequences. We couldn’t run the world’s digital economy without the system of trust they create,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “This research is incredibly timely for IT security professionals everywhere – they need a wake up call like this to realize they can no longer place blind trust in keys and certificates that are increasingly being misused by cybercriminals.”
“We hope this report will help Global 5000 security teams everywhere realize that the very technologies they have relied upon for two decades are at the breaking point and can’t keep up,” said Jeff Hudson, CEO, Venafi. “With keys and certificates broadly deployed and so integral to the future of the world’s digital economy, it must become a top priority for CEOs, board of directors, and CISOs to better secure and protect them. With no replacement in sight, failure is not an option. New ways of thinking are required - like using certificate reputation now available with Venafi TrustNet.”
About the 2015 Cost of Failed Trust Report
The 2015 Cost of Failed Trust Report was completed by 2,371 IT security professionals and examines the precise financial consequences of failed trust from malicious attacks that exploit cryptographic key and certificate management failures. The research not only quantifies the cost of these trust exploits, but it also gives insight into how enterprise failures in key and certificate management open the doors to criminals. This report is the only publicly available research to track the breadth and scope of these types of attacks. For company size, 59 percent of respondents were from organizations with 5,000 or more employees. The largest verticals represented were financial services (17%), government (11%), professional services (8%), consumer products (7%), and retail (7%). This survey data was collected by the Ponemon Institute during January 2015.
About Ponemon Institute
Ponemon Institute conducts independent research and education that advances information security, data protection, privacy and responsible information management practices within businesses and governments throughout the world. Our mission is to conduct high quality, empirical studies on critical issues that affect the protection of information assets and IT infrastructure. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. www.ponemon.org.