It’s time for companies to take a hard look at how they manage secrets

Leaked infrastructure secrets – code, credentials and keys – which are exposed accidentally or intentionally cost companies an average of $1.2 million in revenue per year, according to a report from 1Password.

The report explores how organizations are managing the explosion of sensitive information, the prevalence of secrets management shortcomings and the severe impact on the bottom line, including damaged corporate reputation, alienated customers and delayed product cycles.

“Secrets are now the lifeblood for IT and DevOps as they seek to support the explosion of apps and services now required in the modern enterprise” said Jeff Shiner, 1Password CEO.

“Our research reveals that secrets are booming, but IT and DevOps teams are not meeting rigorous standards to protect them – and in the process are putting organizations at risk of incurring tremendous cost. It’s time for companies to take a hard look at how they manage secrets, and adopt practices and solutions to ‘put the secret back into secrets’ to support a culture of security.”

Secrets are everywhere

Today, 65% of IT and DevOps employees estimate their company has more than 500 secrets – and 18% say they have more than they can count.

• Managing secrets is expensive: IT and DevOps spend an average of 25 minutes each day managing secrets, at an estimated payroll expense of $8.5B annually across companies in the US.
• More apps, more secrets: 51% of IT/DevOps workers say their time spent managing secrets has increased in the last year, and for 10% it’s more than doubled.

Loose secrets sink enterprises

1Password’s research found that losing control of secrets can damage many aspects of enterprise operations and undermine the bottom line.

• Financial pain: IT/DevOps workers whose company lost control of secrets said their company lost, on average, $1.2M. Ten percent of IT/DevOps who experienced secrets leakage said their company lost more than $5M – amounting to billions across the national economy.
• Bad business side effects: 40% of IT/DevOps workers at organizations who’ve experienced secrets leakage report brand reputation damage; 29% say it led to lost clients.
• Product delays: IT/DevOps shared that 61% of projects are delayed due to poor secret management.
• Ex-employee risk factor: 77% of IT/DevOps workers say that they still have some amount of access to their former with 37% saying that they still have full access.

Manage secrets

52% of IT and DevOps workers say that the explosion of cloud applications has made managing secrets more difficult.

• IT/DevOps are too busy to keep secrets: The very people that should be keeping secrets aren’t making it a priority; 80% of employees of IT/DevOps organizations admit to not managing their secrets well.
• Secrets, secrets everywhere: 25% of employees at IT/DevOps companies have secrets in 10 or more different locations and have shared with colleagues via insecure channels – email (59%), chat services such as Slack (40%), spreadsheets/shared documents (36%) and text (26%).
• Undermining the enterprise: IT/DevOps employees report that poorly managing enterprise secrets wastes time (48%), delays projects (38%), frustrates employees (36%) and disrupts workflows (33%).

Sloppy secrets

IT and DevOps employees are concerned about the consequences of their companies not doing enough to secure their secrets. However, IT and DevOps employees also admit to being careless when sharing secrets, opening the door to potential leaks.

• Wash, rinse, repeat: 64% of IT/DevOps workers admit to reusing enterprise secrets between projects.
• Passing notes around the server room: 36% of IT/DevOps workers say they’ll share secrets over insecure channels to increase productivity and speed.
• Enforcement issues: 97% of IT/DevOps workers report their organization has a policy in place for enterprise secrets generation, but just 36% say their company is strict with its policy enforcement.
• Terror time: 51% of IT/DevOps workers have explicit fears with the way their company currently handles secrets.

Bosses are the “leak” link

Those with most at stake – managers and VPs – are more likely to circumvent security policies, reuse secrets and access production systems without permission.

• Convenience over security: Sixty-three percent of team leads and managers and 67% of VP and above have ignored or worked around company security policies to meet COVID-19 work demands–nearly triple the rate of individual IT/DevOps contributors (25%).
• VPs are double the trouble: 81% of IT/DevOps VPs and above have reused secrets between projects, compared to 65% of team leads and managers. VPs and above are twice as likely to reuse secrets as individual contributors (39%).