Based on survey participant expectations, organizations are projected to lose $35 million (USD) over the next 24 months. This estimate is based on a total possible cost exposure of $398 million per organization. These and other conclusions are based on new primary research conducted by Ponemon Institute among Global 2000 organizations based in Australia, France, Germany, the United Kingdom and the United States.
Every business and government agency relies on critical security technologies to ensure that communications and transactions conducted across the Internet, as well as within closed networks, remain trusted, private and compliant with regulations. The most essential of these technologies are cryptographic keys and digital certificates, which provide the foundation of trust for the modern world of secure communications, card payments, online shopping, smartphones and cloud computing.
Yet failing to manage certificates and keys creates vulnerabilities that cybercriminals exploit to breach enterprise networks, steal data and disrupt critical business operations. Until now, the cost of failed trust from these attacks has not been quantified but is based only on anecdotal evidence. This report changes that by providing hard research data about the financial risks.
“This new research not only allows us to quantify the cost of these trust exploits, but also gives insight into how enterprise failures in key and certificate management open the door to criminals. More than half of the companies surveyed, for instance, do not know how many keys and certificates they have, which is both a serious security issue and a Governance, Risk and Compliance (GRC) gap that executives must address with proper controls,” said Larry Ponemon, chairman and founder of Ponemon Institute Research.
The report reveals many findings, including:
High costs: On average enterprises are projected to risk losing an average of $35 million over 24 months from attacks on trust. This is based on a total possible cost exposure of almost $400 million per organization.
Expensive, preventable exploits: Easily preventable exploits of weak cryptography are most likely and are costly, averaging $125 million per incident, per organization.
Consequences for Certificate Authority (CA) compromises: Attacks on trusted CAs lead to man-in-the-middle and phishing attacks on enterprises, with costs averaging $73 million per incident, per organization.
Wide-spread vulnerability: All surveyed enterprises suffered at least one attack on trust due to failed key and certificate management.
In addition to revealing the financial impact of failing to control trust, the research also demonstrates the extent of the challenge facing enterprises in regaining control of their keys and certificates:
Too vast a problem for manual management: Enterprises estimate they have on average 17,807 keys and certificates, per organization.
Unknown and unquantified risk: Fifty-one percent of surveyed organizations do not know exactly how many keys and certificates they have.
Clear and present danger to cloud computing: Respondents believe difficult-to-detect attacks on Secure Shell (SSH) keys, critical for cloud services from Amazon and Microsoft, present the most alarming threat arising from failure to control trust.
Need to establish control over trust: Already 59 percent of enterprises believe that proper key and certificate management can help them regain control over trust and avoid these risks.
“Cyber criminals understand how fragile our ability to control trust has become, and as a result, they continue to target failed key and certificate management,” said Venafi CEO Jeff Hudson. “These exploits wreak havoc by causing unplanned outages, productivity loss, brand damage and data breaches. Until today the financial impact, the extent of the challenges and the industry’s recognition of these compromises remained largely unknown and unquantified.
“Trust is the foundation of all relationships, including those between enterprises and the markets they serve. As our world becomes more connected and more dependent on cloud and mobile technologies, maintaining control over trust by managing keys and certificates must be a top priority for all CEOs, CIOs, CISOs and IT security managers,” Hudson continued. “When trust is compromised, business stops. Our hope is that this report provides both the validation and the motivation to help business and IT executives take action.”