Trust comes at a price. However, while IT security professionals understand this, they often treat trust as an afterthought. As a result, companies suffer the consequences in unexpected recovery costs and failed business relationships.
The financial sector takes trust very seriously; stakeholders at financial institutions never trivialize the trust their clients place in them because they know the entire value of the company rests on that trust. That same level of concern should extend throughout the business world, and the proper control of trust should form a primary component of security management. This view is validated by cutting-edge research from the Ponemon Institute, an independent center dedicated to research on data privacy, data protection and information security policy.
The Ponemon Institute First Annual Cost of Failed Trust Report reveals that enterprises risk losing as much as $398 million due to failures to control the bedrock technologies of IT trust: cryptographic keys and digital certificates. Widespread management failures of these technologies leave enterprises disturbingly exposed to cyber attacks and advanced persistent threats (APTs). The report projects that the average enterprise will actually lose an average of $35 million every two years from attacks on trust. Those figures reflect the tangible costs of unexpected outages and security breaches, as well as the less tangible ripples after any incident—loss of reputation, loss of sales and interruptions of business operations.
Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, presented the report findings at the 2013 RSA Conference. In addition to the high costs that enterprises risk, he revealed several other troubling trends related to trust and IT security management:
– Widespread vulnerability: All surveyed enterprises suffered at least one incident due to failed key and certificate management in the last two years.
– Too vast a problem for manual management: Enterprises have on average 17,807 keys and certificates each, according to the report.
– Unknown and un-quantified risk: Fifty-one percent of surveyed organizations do not know exactly how many keys and certificates they have.
– Clear and present danger to cloud computing: Respondents believe difficult-to-detect attacks on Secure Shell (SSH) keys, critical for cloud services from Amazon and Microsoft, present the most alarming threat arising from failure to control trust.
The report bases its conclusions on new primary research conducted in Australia, France, Germany, the U.K. and the U.S. with 2,342 respondents from mostly global 2000 enterprises.
The research clearly reveals that most enterprises struggle to retain control of trust. Widespread failures in trust management are indicated by the 51 percent of respondents who do not know how many keys and certificates—the backbone of trust in an interconnected, digital economy – they have. In fact, 40 percent of respondents openly admitted that their own inability to control their encryption assets is already placing sensitive and valuable data at risk. These shortfalls lead to a troubling conclusion. Although respondents estimate the chance of future attacks at 18 percent, on average—in reality, the gaping management failures point to an even higher likelihood.
The report touches on various types of attacks, such as certificate authority (CA) breaches,, SSH key theft and exploits of weak cryptography, telling a troubling story in which enterprises remain vulnerable to these highly damaging incidents even though such attacks are entirely preventable with the proper tools and security management applications. For example, 18 percent of enterprises expect to fall prey to an attack in the next two years due to their use of weak, legacy cryptography. The associated costs are staggering, with each attack potentially costing an organization as much as $125 million. Yet, according to Dr. Ponemon, enterprises could easily prevent those attacks by incorporating automated key and certificate management systems.
Regaining control of the trust involves the proper combination of process, policy, people and technology. Although challenging, controlling trust is possible and absolutely necessary. Already 59 percent of enterprises understand that proper key and certificate management can help them regain control over trust and avoid losing millions of dollars that they otherwise risk.
Enterprises can obtain valuable advice for establishing control over trust from organizations such as the National Institute of Standards and Technology (NIST), which suggests best practices for responses to CA compromises and for the key management lifecycle. The U.K. Information Commissioner’s Office (ICO), also provides a framework for maintaining control over trust in the emerging world of cloud computing.
Ultimately, as the research demonstrates, an organization’s control over trust—and all the business processes founded on that trust—remains only as strong as its ability to control and manage its cryptographic keys and digital certificates.