Organisations are projected to lose $US35 million in the next 24 months as a result of a failure to control trust in the face of new and evolving threats, according to US-based security software company, Venafi.
In a study commissioned by Venafi and conducted by Ponemon, 2013 annual cost of failed trust report: threats and attacks , it indicated that failing to manage keys and certificates means losing control over the trust an organisation relies on to operate.
The study polled 2342 respondents from five locations – Australia, US, UK, France and Germany.
Venafi CEO, Jeff Hudson, said keys and certificates are the perfect target attack which will compromise 95 per cent of all businesses and governments globally.
“Most people only know where a few of their keys and certificates are. There is a blind spot and many are unable to discover where keys and certificates are being deployed, how they are being used, and who is using them,” he said.
The study showed that there is an average number of 17,807 server keys and certificates deployed on infrastructures such as Web servers, databases, network devices and Cloud services in most organisations but 51 per cent of respondents don’t know how many keys and certificates are in use by their organisation.
Hudson claimed this represents a systemic and unquantified risk and the issue is only going to get worse.
“In this new world, mobility and outsourcing is breaking the perimeter to include Cloud services, new mobile devices, etc. and what’s happening is its introducing more avenues for criminals to obtain keys used by a trusted advisor or system.”
Hudson mentioned that the strategy to adopt in solving the problem is control through ownership.
He attributed a study by Forrester Research in 2010, which indicated that the future opportunity for IT is to own less as well as regain control over the cryptographic keys and certificates that manage trust for Cloud and mobile computing.
The study reflected his claim, which found that 59 per cent of enterprises said establishing proper keys and certificate management before using new encryption and authentication technologies will enable them to regain control over trust and end the present risks of security breaches.
“This is important because when somebody brings their personal device into their corporate network, how do you know what’s on it and how do you trust the device? That’s why this is important,” he added.