Ponemon Institute Research Reveals Cyber Attacks on Trust Can Cost Every Global Enterprise Up to $398 Million
TRAVERSE CITY, MI, and SALT LAKE CITY, UT – Feb. 20, 2013
Ponemon Institute and Venafi, the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions, today announced the 2013 Annual Cost of Failed Trust Report: Threats & Attacks. This new annual report provides the first extensive examination of how failure to control trust in the face of new and evolving security threats places every global enterprise at risk. Based on survey participant expectations, organizations are projected to lose $35 million (USD) over the next 24 months. This estimate is based on a total possible cost exposure of $398 million per organization. These and other conclusions are based on new primary research conducted by Ponemon Institute among Global 2000 organizations based in Australia, France, Germany, the United Kingdom and the United States.
Every business and government agency relies on critical security technologies to ensure that communications and transactions conducted across the Internet, as well as within closed networks, remain trusted, private and compliant with regulations. The most essential of these technologies are cryptographic keys and digital certificates, which provide the foundation of trust for the modern world of secure communications, card payments, online shopping, smartphones and cloud computing.
Yet failing to manage certificates and keys creates vulnerabilities that cybercriminals exploit to breach enterprise networks, steal data and disrupt critical business operations. Until now, the cost of failed trust from these attacks has not been quantified but is based only on anecdotal evidence. This report changes that by providing hard research data about the financial risks.
Download the full Ponemon 2013 "Annual Cost of Failed Trust Report: Threats & Attacks"
"In partnering with Venafi, we set out to answer for the first time one of the most sought-after questions in information security and compliance: what are the precise financial consequences of failed trust from malicious attacks that exploit cryptographic key and certificate management failures?" said Larry Ponemon, chairman and founder of Ponemon Institute Research. "We rely on keys and certificates to provide the bedrock of trust for all business and government activities, online and in the cloud. Yet criminals are turning our dependence on these trust instruments against us at an alarming rate.
"This new research not only allows us to quantify the cost of these trust exploits, but also gives insight into how enterprise failures in key and certificate management open the door to criminals. More than half of the companies surveyed, for instance, do not know how many keys and certificates they have, which is both a serious security issue and a Governance, Risk and Compliance (GRC) gap that executives must address with proper controls," said Ponemon. "It's not surprising then that all companies we spoke with had suffered an attack on trust due to failed key and certificate management, or that these attacks are projected to cost organizations an average of $35 million, with a maximum possible cost exposure of $398 million per organization. This level of risk and exposure demands remediation."
The report reveals many findings, including:
- High costs: On average enterprises are projected to risk losing an average of $35 million over 24 months from attacks on trust. This is based on a total possible cost exposure of almost $400 million per organization.
- Expensive, preventable exploits: Easily preventable exploits of weak cryptography are most likely and are costly, averaging $125 million per incident, per organization.
- Consequences for Certificate Authority (CA) compromises: Attacks on trusted CAs lead to man-in-the-middle and phishing attacks on enterprises, with costs averaging $73 million per incident, per organization.
- Wide-spread vulnerability: All surveyed enterprises suffered at least one attack on trust due to failed key and certificate management.
In addition to revealing the financial impact of failing to control trust, the research also demonstrates the extent of the challenge facing enterprises in regaining control of their keys and certificates:
- Too vast a problem for manual management: Enterprises estimate they have on average 17,807 keys and certificates, per organization.
- Unknown and unquantified risk: Fifty-one percent of surveyed organizations do not know exactly how many keys and certificates they have.
- Clear and present danger to cloud computing: Respondents believe difficult-to-detect attacks on Secure Shell (SSH) keys, critical for cloud services from Amazon and Microsoft, present the most alarming threat arising from failure to control trust.
- Need to establish control over trust: Already 59 percent of enterprises believe that proper key and certificate management can help them regain control over trust and avoid these risks.
"Cyber criminals understand how fragile our ability to control trust has become, and as a result, they continue to target failed key and certificate management," said Venafi CEO Jeff Hudson. "These exploits wreak havoc by causing unplanned outages, productivity loss, brand damage and data breaches. Until today the financial impact, the extent of the challenges and the industry's recognition of these compromises remained largely unknown and unquantified.
"Trust is the foundation of all relationships, including those between enterprises and the markets they serve. As our world becomes more connected and more dependent on cloud and mobile technologies, maintaining control over trust by managing keys and certificates must be a top priority for all CEOs, CIOs, CISOs and IT security managers," Hudson continued. "When trust is compromised, business stops. Our hope is that this report provides both the validation and the motivation to help business and IT executives take action."
To view the report, visit www.venafi.com/Ponemon
To view a video clip of Venafi CEO Jeff Hudson discussing the research, visit: www.venafi.com/VideoOverview
To learn more about the methodology and key findings, visit the Ponemon Institute blog: www.ponemon.org/blog
About Ponemon Institute
Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.
Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world's most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.