Increased Business Risks from Unprotected Keys and Certificates

By   ISBuzz Team
Writer , Information Security Buzz | Oct 01, 2015 12:40 am PST

Increased Business RisksTwo-Thirds of Global Businesses Have Lost Customers from Failure to Secure the Online Trust Established by Keys and Certificates

The Ponemon Institute and Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, released new data from the 2015 Cost of Failed Trust Report, on the inherent risk and direct business impact from unsecured cryptographic keys and digital certificates on Global organizations. The newly released data from a survey of over 2,300 global IT security professionals reveals how the growing dependence on the digital trust provided by keys and certificates correlates directly to an increased loss of customers, costly outages, failed audits and security breaches. The security risks dwarf the availability and compliance risks nearly 5 to 1, with $53 million over the next 2 years in security risks compared $7.2 million in combined compliance and availability business risks.

As a result, Global enterprises are losing customers, millions in revenue and even shutting down completely. When asked how keys and certificates became a challenge for their businesses, 54% of those surveyed responded a lack of visibility and don’t know how many keys and certificates are deployed, where they are used, or what policies govern their use. Knowing that digital certificates have differing and short lifespans of weeks, months or years, this shows the incredible lack of policy enforcement and remediation that’s occurring internally within the information security department.

“When businesses fail to properly secure and manage their keys and certificates, there is a direct financial impact with lost customers and lost revenue,” said Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi. “Every business relies on cryptographic keys and digital certificates to operate, even if they don’t realize it. That’s why it’s imperative that IT ops and IT security teams conduct regular audits to locate all the certificates and keys they are using, determine expiration dates and then put proper policies in place to avoid data breaches, unplanned outages, and failed audits.”

Venafi’s 2015 Cost of Failed Trust Report also revealed :

  • Unsecured keys and certificates are causing businesses to lose customers: Nearly two-thirds (59%) admitted to losing customers because they failed to secure the online trust established by keys and certificates.
  • Business systems are failing: An average of over 2 certificate-related unplanned outages have been reported per organization over the last 2 years. Over the last 2 years, every business has failed one or more SSL/TLS audits and one or more SSH audits.
  • The risk continues—at great cost: Our reliance on keys and certificates continues to grow with their increased use for SSL/TLS as well as mobile, WiFi, and VPN access, and the explosion of Internet of Things (IoT) devices. This increased reliance causes a dramatic increase in risk for availability, compliance, and security. However, the amount of risk is not equal across these areas—security risk at $53 million over the next 2 years dwarfs availability and compliance risk, which totals $7.2 million.
  • Challenges must be addressed: Over half (54%) admitted to a lack of visibility and a lack of policy enforcement and remediation for keys and certificates. Organizations must address these challenges which underlie the security, availability, and compliance risks caused by unsecure keys and certificates.

“We hope this report will help Global 5000 security and executive teams realize the major risk that expired cryptographic keys and digital certificates are posing to the enterprise,” said Jeff Hudson, CEO, Venafi. “With keys and certificates broadly deployed and so integral to the future of business growth, this data is pointing to a symptom of a larger security issue – if you can’t manage your keys and certificates then you can’t protect them and you’re living in a world without trust. That’s why Venafi provides the Immune System for the Internet – we help Global 5000 enterprises everywhere find, manage and protect their keys and certificates, which are increasingly being targeted by cyber criminals for misuse.”

About Ponemon Institute

Ponemon Institute conducts independent research and education that advances information security, data protection, privacy and responsible information management practices within businesses and governments throughout the world. Our mission is to conduct high quality, empirical studies on critical issues that affect the protection of information assets and IT infrastructure. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards.

About Venafi

Venafi is the Immune System for the Internet™ that protects the foundation of all cybersecurity—cryptographic keys and digital certificates—so they can’t be misused by bad guys in attacks. In today’s connected world, cybercriminals want to gain trusted status and remain undetected, which makes keys and certificates a prime target. Unfortunately, most security systems blindly trust keys and certificates, allowing bad guys to use them to hide in encrypted traffic, spoof websites, deploy malware, and steal data. As the Immune System for the Internet, Venafi patrols across the network, on devices, behind the firewall, and throughout the internet to determine which SSL/TLS, SSH, WiFi, VPN and mobile keys and certificates are trusted, protects those that should be trusted, and fixes or blocks those that are not.

As the market-leading cybersecurity company in Next Generation Trust Protection (NGTP) and a Gartner-recognized Cool Vendor, the Venafi Trust Protection Platform™ protects keys and certificates and eliminates blind spots from threats hidden in encrypted traffic. As part of any enterprise infrastructure protection strategy, Venafi TrustAuthority™, Venafi TrustForce™, and Venafi TrustNet™ help organizations know what’s trusted and “self” in order to regain control over keys and certificates on mobile devices, applications, virtual machines and network devices and out in the cloud. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response that protects your network, business, and brand. Venafi Threat Center also provides primary research and threat intelligence for attacks on keys and certificates.

Venafi is the market leading cybersecurity company in Next Generation Trust Protection (NGTP). As a Gartner-recognized Cool Vendor, Venafi delivered the first Trust Protection Platform™ to secure cryptographic keys and digital certificates that every business and government depends on for secure communications, commerce, computing, and mobility. With little to no visibility into how the tens of thousands of keys and certificates in the average enterprise are used, no ability to enforce policy, and no ability to detect or respond to anomalies and increased threats, organizations that blindly trust keys and certificates are at increased risk of costly attacks, data breaches, audit failures and unplanned outages.

Venafi customers are among the world’s most demanding, security-conscious Global 2000 organizations in financial services, retail, insurance, healthcare, telecommunications, aerospace, manufacturing, and high tech. Today Venafi protects four of the top five U.S. banks, eight of the top U.S. 10 health insurance companies and four of the top seven U.S. retailers. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Intel Capital, Origin Partners, Pelion Venture Partners, QuestMark Partners, and Silver Lake Partners.