Unprotected and poorly managed keys and certificates result in a loss of customers, costly outages, failed audits, and security breaches, according to The Ponemon Institute and Venafi.
Businesses around the globe are suffering the damaging impacts of unsecured keys and certificates:
When trust online breaks, businesses lose customers: Nearly two-thirds (59%) of respondents admitted to losing customers because they failed to secure the online trust established by keys and certificates, with an average cost of $15 million per outage.
Critical business systems are failing: An average of over 2 certificate-related unplanned outages have been reported per organization over the last 2 years.
Businesses are failing audits: On average, organizations failed at least one SSL/TLS audit and at least one SSH audit within the last 2 years.
“When businesses fail to properly secure and manage their keys and certificates, there is a direct financial impact with lost customers and lost revenue,” said Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi. “Every business relies on the trust provided by keys and certificates to operate, even if they don’t realize it. That’s why it’s imperative that IT ops and IT security teams conduct regular audits to locate all the certificates and keys they are using, determine expiration dates, and then put proper policies in place to avoid data breaches, unplanned outages, and failed audits.”
From online banking and mobile applications to the Internet of Things, everything IP-based depends upon a key and certificate to create a trusted connection, and our reliance on keys and certificates continues to grow with increased use for SSL/TLS, as well as mobile, WiFi, and VPN access.
This increased reliance causes an increase in risk for availability, compliance, and security. However, the amount of risk is not equal across these areas—the security risks dwarf the availability and compliance risks nearly 7 to 1, with $53 million over the next 2 years in security risk compared to $7.2 million in combined compliance and availability business risks.
When asked about the challenges of protecting and managing keys and certificates, 54% of the IT security professionals surveyed said they don’t know how many keys they have, where they are located, or how they are used. This is up from 50% two years ago. However, most security analysts believe this number to be grossly underestimated.
Similarly, 54% said they lack policy enforcement and remediation for keys and certificates. Organizations must address these challenges which underlie the security, availability, and compliance risks caused by unsecure keys and certificates.
“We hope this report will help IT security and executive teams realize the major risk that unprotected and poorly managed cryptographic keys and digital certificates are posing to enterprises,” said Larry Ponemon, Chairman and Founder of The Ponemon Institute. “Keys and certificates are broadly deployed and are critical for creating trusted connections and securing businesses. It’s clear that this report data underscores a symptom of a larger security problem — if you don’t know where your keys and certificates are, can’t continuously monitor them, and are unable to automate their secure lifecycle, then you simply can’t protect them. Ultimately, this is why online trust is broken.”