Cyber attacks can cost every enterprise $398m reveals Ponemon research
Ponemon Institute and Venafi, the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions, recently announced the 2013 Annual Cost of Failed Trust Report: Threats and Attacks. This new annual report provides the first extensive examination of how failure to control trust in the face of new and evolving security threats places every global enterprise at risk. Based on survey participant expectations, organisations are projected to lose $35 million (USD) over the next 24 months. This estimate is based on a total possible cost exposure of $398 million per organisation. These and other conclusions are based on new primary research conducted by Ponemon Institute among Global 2000 organisations based in Australia, France, Germany, the United Kingdom and the United States.
Every business and government agency relies on critical security technologies to ensure that communications and transactions conducted across the Internet, as well as within closed networks, remain trusted, private and compliant with regulations. The most essential of these technologies are cryptographic keys and digital certificates, which provide the foundation of trust for the modern world of secure communications, card payments, online shopping, smartphones and cloud computing.
Yet failing to manage certificates and keys creates vulnerabilities that cybercriminals exploit to breach enterprise networks, steal data and disrupt critical business operations. Until now, the cost of failed trust from these attacks has not been quantified but is based only on anecdotal evidence. This report changes that by providing hard research data about the financial risks.
“In partnering with Venafi, we set out to answer for the first time one of the most sought-after questions in information security and compliance: what are the precise financial consequences of failed trust from malicious attacks that exploit cryptographic key and certificate management failures?” said Larry Ponemon, chairman and founder of Ponemon Institute Research. “We rely on keys and certificates to provide the bedrock of trust for all business and government activities, online and in the cloud. Yet criminals are turning our dependence on these trust instruments against us at an alarming rate.
“This new research not only allows us to quantify the cost of these trust exploits, but also gives insight into how enterprise failures in key and certificate management open the door to criminals. More than half of the companies surveyed, for instance, do not know how many keys and certificates they have, which is both a serious security issue and a Governance, Risk and Compliance (GRC) gap that executives must address with proper controls,” said Ponemon. “It’s not surprising then that all companies we spoke with had suffered an attack on trust due to failed key and certificate management, or that these attacks are projected to cost organisations an average of $35 million, with a maximum possible cost exposure of $398 million per organisation. This level of risk and exposure demands remediation.”
The report reveals many findings, including:
High costs: On average enterprises are projected to risk losing an average of $35 million over 24 months from attacks on trust. This is based on a total possible cost exposure of almost $400 million per organisation.
Expensive, preventable exploits: Easily preventable exploits of weak cryptography are most likely and are costly, averaging $125 million per incident, per organisation.
Consequences for Certificate Authority (CA) compromises: Attacks on trusted CAs lead to man-in-the-middle and phishing attacks on enterprises, with costs averaging $73 million per incident, per organisation.
Wide-spread vulnerability: All surveyed enterprises suffered at least one attack on trust due to failed key and certificate management.
In addition to revealing the financial impact of failing to control trust, the research also demonstrates the extent of the challenge facing enterprises in regaining control of their keys and certificates:
Too vast a problem for manual management: Enterprises estimate they have on average 17,807 keys and certificates, per organisation. Unknown and unquantified risk: Fifty-one percent of surveyed organisations do not know exactly how many keys and certificates they have. Clear and present danger to cloud computing: Respondents believe difficult-to-detect attacks on Secure Shell (SSH) keys, critical for cloud services from Amazon and Microsoft, present the most alarming threat arising from failure to control trust. Need to establish control over trust: Already 59 percent of enterprises believe that proper key and certificate management can help them regain control over trust and avoid these risks.
“Cyber criminals understand how fragile our ability to control trust has become, and as a result, they continue to target failed key and certificate management,” said Venafi CEO Jeff Hudson. “These exploits wreak havoc by causing unplanned outages, productivity loss, brand damage and data breaches. Until today the financial impact, the extent of the challenges and the industry’s recognition of these compromises remained largely unknown and unquantified.
“Trust is the foundation of all relationships, including those between enterprises and the markets they serve. As our world becomes more connected and more dependent on cloud and mobile technologies, maintaining control over trust by managing keys and certificates must be a top priority for all CEOs, CIOs, CISOs and IT security managers,” Hudson continued. “When trust is compromised, business stops. Our hope is that this report provides both the validation and the motivation to help business and IT executives take action.”