CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Network Security

The High Financial Costs of Failed Trust

Trust comes at a price. However, while IT security professionals understand this, they often treat trust as an afterthought. As a result, companies suffer the consequences in unexpected recovery costs and failed business relationships.

Trust comes at a price. However, while IT security professionals understand this, they often treat trust as an afterthought. As a result, companies suffer the consequences in unexpected recovery costs and failed business relationships.

The financial sector takes trust very seriously; stakeholders at financial institutions never trivialize the trust their clients place in them because they know the entire value of the company rests on that trust. That same level of concern should extend throughout the business world, and the proper control of trust should form a primary component of security management. This view is validated by cutting-edge research from the Ponemon Institute, an independent center dedicated to research on data privacy, data protection and information security policy.

The Ponemon Institute First Annual Cost of Failed Trust Report reveals that enterprises risk losing as much as $398 million due to failures to control the bedrock technologies of IT trust: cryptographic keys and digital certificates. Widespread management failures of these technologies leave enterprises disturbingly exposed to cyber attacks and advanced persistent threats (APTs). The report projects that the average enterprise will actually lose an average of $35 million every two years from attacks on trust. Those figures reflect the tangible costs of unexpected outages and security breaches, as well as the less tangible ripples after any incident—loss of reputation, loss of sales and interruptions of business operations.

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, presented the report findings at the 2013 RSA Conference. In addition to the high costs that enterprises risk, he revealed several other troubling trends related to trust and IT security management:

– Widespread vulnerability: All surveyed enterprises suffered at least one incident due to failed key and certificate management in the last two years.

– Too vast a problem for manual management: Enterprises have on average 17,807 keys and certificates each, according to the report.

– Unknown and un-quantified risk: Fifty-one percent of surveyed organizations do not know exactly how many keys and certificates they have.

– Clear and present danger to cloud computing: Respondents believe difficult-to-detect attacks on Secure Shell (SSH) keys, critical for cloud services from Amazon and Microsoft, present the most alarming threat arising from failure to control trust.

Advertisement. Scroll to continue reading.

The report bases its conclusions on new primary research conducted in Australia, France, Germany, the U.K. and the U.S. with 2,342 respondents from mostly global 2000 enterprises.

The research clearly reveals that most enterprises struggle to retain control of trust. Widespread failures in trust management are indicated by the 51 percent of respondents who do not know how many keys and certificates—the backbone of trust in an interconnected, digital economy – they have. In fact, 40 percent of respondents openly admitted that their own inability to control their encryption assets is already placing sensitive and valuable data at risk. These shortfalls lead to a troubling conclusion. Although respondents estimate the chance of future attacks at 18 percent, on average—in reality, the gaping management failures point to an even higher likelihood.

The report touches on various types of attacks, such as certificate authority (CA) breaches,, SSH key theft and exploits of weak cryptography, telling a troubling story in which enterprises remain vulnerable to these highly damaging incidents even though such attacks are entirely preventable with the proper tools and security management applications. For example, 18 percent of enterprises expect to fall prey to an attack in the next two years due to their use of weak, legacy cryptography. The associated costs are staggering, with each attack potentially costing an organization as much as $125 million. Yet, according to Dr. Ponemon, enterprises could easily prevent those attacks by incorporating automated key and certificate management systems.

Regaining control of the trust involves the proper combination of process, policy, people and technology. Although challenging, controlling trust is possible and absolutely necessary. Already 59 percent of enterprises understand that proper key and certificate management can help them regain control over trust and avoid losing millions of dollars that they otherwise risk.

Enterprises can obtain valuable advice for establishing control over trust from organizations such as the National Institute of Standards and Technology (NIST), which suggests best practices for responses to CA compromises and for the key management lifecycle. The U.K. Information Commissioner’s Office (ICO), also provides a framework for maintaining control over trust in the emerging world of cloud computing.

Ultimately, as the research demonstrates, an organization’s control over trust—and all the business processes founded on that trust—remains only as strong as its ability to control and manage its cryptographic keys and digital certificates.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.