Organizations still struggle to manage foundational security

Regulatory measures such as GDPR put focus on data privacy at design, tightening requirements and guiding IT security controls like Public Key Infrastructure (PKI).

Continued adoption of IoT, cloud and mobile technologies are increasing the number of digital certificates and keys that ensure secure connections and identity authentication through PKI, a Keyfactor and Ponemon Institute research reveals.

“This research demonstrates that despite heightened compliance focus, businesses struggle to manage foundational security like PKI and the tools and processes that maintain it. This is concerning, especially as the number of digital certificates and keys within enterprise continues to multiply,” said Chris Hickman, CSO at Keyfactor.

Regulatory compliance a strategic priority

Half of respondents indicate regulatory compliance as a strategic priority and two-thirds say their organization is adding additional layers of encryption to comply with regulations and IT policies.

However, undocumented or unenforced key management policies are problematic, with respondents averaging more than four failed audits or compliance experiences in the last 24 months.

“Less than half of respondents say they have sufficient staff dedicated to PKI,” said Hickman.

“A lack of program ownership, combined with the constant care and feeding that digital identities need, has introduced new risk, creating an exposure epidemic. Unless leaders invest in in-house processes and outsourced resources to manage PKI, enterprise will risk failed audits, fines and worse, a security breach.”

Foundational security: Additional findings

• A rise in security incidents: on average, organizations experienced a Certificate Authority (CA) or rogue man-in-the-middle (MITM) and/or phishing attack four times in the last 24 months, facing a 32% likelihood of a MITM or phishing attack over the next 24 months.
• Staffing shortages: on average, 15% of IT security budget is spent on PKI deployment annually, yet just 43% of respondents say their organisation has enough IT security staff members dedicated to PKI deployment.
• Lack of visibility: 70% of respondents say their organisation does not know how many digital certificates and keys it has within the business.
• Cryptography related security incidents undermine trust: 68% of respondents say failure to secure keys and certificates undermines the trust their organisation relies upon to operate.
• Cryptography lacks a center of excellence: despite the rising cost of PKI and growth of cryptography-related incidents, just 40% of companies have the ability to drive enterprise-wide best practice.
• Spending trend: represented organizations are spending an average of £9.37M on IT security annually, with £1.37M dedicated to PKI.