Digital Certificates Chaos Could Cost Companies $398 Million

More than half of organizations don't know where their encryption keys and digital certificates are deployed, how they are being used and who is using them. Nor do they have an accurate inventory of their keys and certificates. This makes them vulnerable to attacks that target trust instruments.

Mon, March 04, 2013

CIO — Trust. It is the basis of all digital transactions. We trust that our inventory systems are providing the correct information, that the documents we're reading have not been altered, that the entity on the other side of a financial transaction is our bank.

But outside of the security function, the mechanisms of trust in the digital world—the mechanisms that every business and government agency rely on to ensure that communications and transactions conducted across the Internet and within closed networks remain trusted, private and compliant with regulations—are not readily understood. That makes them vulnerable, and criminals are increasingly beginning to prey on that trust.

Imagine, for instance, a criminal exploiting a digital certificate for a printer in the executive suite, giving the bad guys the capability to read every document as it's printed.

"When the printer in the executive office gets hacked, people can just watch the stream," says Jeff Hudson, CEO of Salt Lake City-based Enterprise Key and Certificate Management (EKCM) provider Venafi.

"Those executives might not want to put sensitive documents in email because they feel email is too insecure, but they might as well just email it directly to the people who want to manipulate the stock price," Hudson says. "Nobody's looking. The criminals will figure out how to get into the stream."

Attacks on Trust Will Cost Enterprises Average of $35 Million

According to a new study by Ponemon Institute, underwritten by Venafi, Global 2000 organizations are projected to lose an average of $35 million over the next 24 months due to attacks on trust. Larry Ponemon, chairman and founder of Ponemon Institute Research, says that estimate is based on a total possible cost exposure of $398 million per organization.

"In partnering with Venafi, we set out to answer for the first time one of the most sought after questions in information security and compliance: What are the precise financial consequences of failed trust from malicious attacks that exploit cryptographic key and certificate management failures?" Ponemon says.

"We rely on keys and certificates to provide the bedrock of trust for all business and government activities, online and in the cloud. Yet criminals are turning our dependence on these trust instruments against us at an alarming rate," Ponemon says.

"This new research not only allows us to quantify the cost of these trust exploits, but also gives insight into how enterprise failures in key and certificate management open the door to criminals," Ponemon adds.

"More than half of the companies surveyed, for instance, do not know how many keys and certificates they have, which is both a serious security issue and Governance, Risk and Compliance (GRC) gap that executives must address with proper controls," Ponemon says.

Continue Reading

Our Commenting Policies