Every large UK business is open to £247million in possible threat exposure due to a lack of control over cryptographic keys and certificates, the foundation of trust in the modern world of secure communications, smartphones, cloud computing and almost every digital and electronic asset, according to the Ponemon Institute.
Organisations face ever-increasing challenges with trust exploits. With advanced persistent threats (APTs), bad actors are taking advantage of every exploit and look for the weakest link in security systems. Common, well-known vulnerabilities like digitally signed malware, poor key and certificate management and weak cryptographic methods remain in many enterprises.
Despite over half (51%) of UK organisations admitting that they know these to be major security issues, few are taking action. Failure to manage certificates and keys creates vulnerabilities that cybercriminals leverage to breach enterprise networks, steal data and IP and disrupt critical business operations. Every UK organisation in the survey had faced at least one of these attacks over the last 2 years.
“With every business and government department across the UK relying on cryptographic keys and certificates in order to operate, failure to manage just one can result in serious attacks or unplanned system outages,” says Calum Macleod, Venafi EMEA Evangelist. “Criminals understand how difficult it is to control trust, and by failing to have the correct controls in place to manage or secure certificates and keys, businesses have opened themselves up to risk on a daily basis.”
Today the typical Global 20000 organisation has an average of 17,807 certificates and keys deployed across its infrastructure. Within the UK Fortune 500, there are likely five or six million keys and certificates in use at any one time, which creates a significant target for attack and renders manual management untenable.
The survey also highlights that 61% of UK respondents don’t know how many keys or certificates are currently in use across their infrastructure. This identifies a worrying trend that whilst half of respondents know the security impact of certificate mismanagement, the same amount (half) have no idea how many certificates are currently in action.
Macleod continues “It is extremely concerning to know that so many businesses are aware of the security impacts certificate and key oversight can have on a business, yet are still doing nothing to combat the problem. Unless organisations sit up and take notice of this growing problem the threat and the amount of money lost by organisations each year will only increase.”