The internet’s foundations of trust are at risk, potentially costing business $52m in the next two years, a study by The Ponemon Institute and security firm Venafi has revealed.
Nearly two-thirds (59%) of global businesses and 61% of UK firms have lost customers due to failure to secure the online trust established by digital certificates and cryptographic keys, according to the 2015 Cost of failed trust report, based on a survey 2,300 global IT security professionals.
The study corroborates the findings of a Venafi survey of 300 IT security professionals at the BlackHat USA 2015 security conference in Las Vegas that showed most are failing to take action about the risks associated with untrustworthy certificates and keys.
By design, cryptographic keys and digital certificates are natively trusted by servers and other security applications to provide for authentication and authorisation for everything that is internet protocol-based , including servers, cloud applications and devices making up the internet of things (IoT).
But unsecured keys and certificates provide the attackers trusted access to the target’s networks and allow them to remain undetected for long periods of time, and according to Venafi, this blind trust is being misused against organisations by cyber criminals so they can monitor and impersonate their targets to steal data.
This threat is largely unrecognised even though large companies such as Sony, Anthem and JP Morgan Chase have all been hit by trust-based cyber attacks in the past year.
The Ponemon/Venafi report on the inherent risk and direct business impact from unsecured cryptographic keys and digital certificates on global organisations reveals how the growing dependence on the digital trust provided by keys and certificates correlates directly to an increased loss of customers, costly outages, failed audits and security breaches.
According to the report, the security risks dwarf the availability and compliance risks nearly 5 to 1, with $53m over the next two years in security risks compared with $7.2m in combined compliance and availability business risks.
As a result, global enterprises are losing customers, millions in revenue and even shutting down completely.
When asked how keys and certificates became a challenge for their businesses, 54% of those surveyed cited a lack of visibility, which means they do not know how many keys and certificates are deployed, where they are used, or what policies govern their use.
Lack of policy enforcement
Considering that digital certificates have differing and short lifespans of weeks, months or years, the report said this shows the huge lack of policy enforcement and remediation within information security departments.
“When businesses fail to secure and manage their keys and certificates properly, there is a direct financial impact with lost customers and lost revenue,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“Every business relies on cryptographic keys and digital certificates to operate, even if they don’t realise it. That’s why it’s imperative that IT operations and IT security teams conduct regular audits to locate all the certificates and keys they are using, determine expiration dates and then put proper policies in place to avoid data breaches, unplanned outages, and failed audits.”
The report shows that business systems are failing with an average of more than three certificate-related unplanned outages per organisation in the UK, compared with an average of more than two globally, and every business failing one or more SSL/TLS audits and one or more SSH audits.
Read more about digital certificate management
In the UK, the cost of these unplanned outages due to certificates is on average £8.5m ($12.8) per incident compared with a global average of $15m per incident.
This means, that certificate-related unplanned outages have cost UK organisations an average of more than £25.5m ($38.6) in the past two years compared with a global average of more than $30m.
The report notes that the risk continues to grow due to the increasing reliance on keys and certficates with their increased use for SSL/TLS as well as mobile, Wi-Fi, and virtual private network (VPN) access, and the explosion of IoT devices.
This increased reliance causes a dramatic increase in risk for availability, compliance, and security, the report said.
With more than half of respondents admitting to a lack of visibility and a lack of policy enforcement and remediation for keys and certificates, the report said organizations must address the challenges that underlie the security, availability, and compliance risks caused by unsecure keys and certificates.
In the UK, 63% of IT leaders admitted to a lack of visibility for keys and certificates, while 61% said that they lack policy enforcement and remediation around them.
“We hope this report will help security and executive teams realise the major risk that expired cryptographic keys and digital certificates are posing to the enterprise,” said Jeff Hudson, Venafi chief executive.
“With keys and certificates broadly deployed and so integral to the future of business growth, this data is pointing to a symptom of a larger security issue - if you can’t manage your keys and certificates then you can’t protect them and you’re living in a world without trust.”
According to Hudson, enterprises need to find, manage and protect their keys and certificates, which are increasingly being targeted by cyber criminals for misuse.
