2015 Cost of Failed Trust Report:
When Trust Online Breaks, Businesses Lose Customers This is the second part of the Ponemon Institute’s 2015 Cost of Failed Trust Report, which reveals the damaging impacts on global business from unprotected cryptographic keys and digital certificates. This new report reveals that most companies lose customers, suffer costly outages, fail audits, and experience breaches due to unprotected and poorly managed keys and certificates. Underwritten by Venafi
Executive Summary In March 2015, the Ponemon Institute and Venafi published research on the risks global business face from attacks on the Internet system of trust established by cryptographic keys and digital certificates.1 Consensus among the over 2,300 participants in Australia, France, Germany, UK, and US was that the system of trust was at the breaking point. Analysis of previously unpublished data provides additional insights into the importance of securing keys and certificates in business today. Much of the world’s economy depends on the Internet, and keys and certificates are the foundation of online security. They secure communications and provide authorization and authentication. Global enterprises depend on the trust, privacy, and integrity established by keys and certificates. There are numerous consequences when this foundation isn’t safeguarded. This second part of the 2015 Cost of Failed Trust Report, looks at how the failure to secure and manage keys and certificates is adversely impacting today’s businesses, and quantifies the direct financial impacts.
• Unsecured keys and certificates are damaging businesses: Nearly two-thirds of respondents (59%) admitted to losing customers because they failed to secure the online trust established by keys and certificates. In addition, business systems are failing with an average of over 2 certificate-related unplanned outages per organization over the last 2 years, with an average cost of $15 million per outage. Not surprisingly, businesses also failed one or more SSL/TLS and SSH audits during that same time period. • The risk continues—at great cost: Our reliance on keys and certificates continues to grow with their increased use for SSL/TLS as well as mobile, WiFi, and VPN access, and the explosion of Internet of Things (IoT) devices. This increased reliance goes hand in hand with increased availability, compliance, and security risks. However, the amount of risk is not equal across these areas— security risk at $53 million over the next 2 years dwarfs availability and compliance risk, which totals $7.2 million. • Challenges must be addressed: Over half (54%) admitted to a lack of visibility and a lack of policy enforcement and remediation for keys and certificates. Organizations must address these challenges which underlie the security, availability, and compliance risks caused by unsecure keys and certificates.
Share the research
2
AVAILABILITY AND COMPLIANCE RISK DOWN AUDITORS ARE CLAMPING
Total risk per organization next 2every years business has failed at Over theover lastthe 2 years, $7.2M Combinedleast availability and compliance 1 SSL/TLS audit and risk at least 1 SSH audit. $53M Risk of attack using keys and certificates Risk = Probability of attack x total impact
SYMPTOMS OF LARGER SECURITY ISSUES These certificate-related outages and failed audits reveal $20M CRYPTOAPOCALYPSE underlying security vulnerabilities—if you can’t manage your IS THEandBIGGEST SECURITY RISK keys certificates, you can’t secure and protect them.
Global Demographics: All Suffer Losses
Cryptoapocalypse: a discovered cryptographic weakness that becomes the ultimate weapon, allowing websites, payment transactions, stock trades, and governments to be spoofed or surveilled (term was coined by researchers presenting their findings at Black Hat 2013).2
This report includes unpublished data from the survey conducted for the March 2015 Ponemon report, 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point.1 The 2015 research survey was completed by 2,394 IT security professionals around the globe: 646 U.S., 499 U.K., 574 German, 339 French, and 336 Australian respondents. The quantity and geographic breadth of the respondents shows that businesses around the globe are suffering the damaging impacts of unsecured keys and certificates. Most respondents were from large enterprises with 59% from organizations with 5,000 or more employees. For the respondents’ roles, 42% were Administrators, 37% Managers to Supervisors, 17% Executive VP to Director, and 4% other. The largest verticals represented were financial services (17%), government (11%), professional services (8%), consumer products (7%), and retail (7%).
SECURITY RISK DWARFS AVAILABILITY 2,394AND COMPLIANCE RISK
Total risk per organization over the next 2 years $7.2M Combined availability and compliance risk $53M Risk of attack using keys and certificates IT Security Professionals Risk = Probability of attack x total impact
RESPONDENTS IT SECURITY2,394PROFESSIONALS Germany 499 646$20M CRYPTOAPOCALYPSE 574
IS THE BIGGEST SECURITY RISK
Cryptoapocalypse: a discovered cryptographic weakness that becomes the ultimate weapon, allowing websites, Australia payment transactions, stock trades, and governments to France be spoofed or surveilled (term was coined by336 researchers 339 presenting their findings at Black Hat 2013).2
TOP 5 INDUSTRIES Represented 2,394 RESPONDENTS
59%17% 11% OF COMPANIES 499 646
IT Security Professionals
We all have seen Global 2000 businesses in the headlines for breaches that leveraged keys and certificates. This has included Community Health Systems (CHS), that had data stolen on 4.5 million patients using the Heartbleed vulnerability;2 Sony Entertainment, which had SSH keys stolen;3 JPMorgan Chase, which had a certificate compromised and 90 of its servers breached; and Anthem, which had information on as many as 80 million people compromised.5
UK
United States
8%Germany
574
Have 5,000 or more employees Financial Services
Government
7%
Professional Consumer Services Products
7%
Retail
France
59% OF 339COMPANIES
TOP 5 INDUSTRIES
Australia
336
Have 5,000 or more employees
Represented When Trust Online Breaks
UK
United States
TOP 5 INDUSTRIES Represented
17% 11%
54% LACK VISIBILITY Financial Government
8%
7% POLICY7% 54% LACK ENFORCEMENT AND REMEDIATION Retail Professional Consumer
They don’t know how Services Services Products many keys and certificates they have, where they are used, or They can’t secure the entire who owns them. Have 5,000 or more keyemployees and certificate lifecycle.
59% OF COMPANIES
THE IMMUNE SYSTEM FOR THE INTERNET™
Organizations need to protect their keys and certificates with Share an immunethe systemresearch for the cyber realm: • Constantly assess which keys and certificates are trusted • Protect those that should be trusted • Fix or block those that are not
54% LACK VISIBILITY ACTION PLAN
54% LACK POLICY ENFORCEMENT AND REMEDIATION
3
Damaging Impact: Customers Lost WHEN TRUST ONLINE BREAKS, BUSINESSES LOSE CUSTOMERS
The damaging impacts on global business from unprotected cryptographic keys and digital certificates
NEARLY 2/3 OF BUSINESSES ADMIT TO LOSING CUSTOMERS
Includes unpublished data from the survey conducted for the March 2015 Ponemon report, 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point.1
These businesses lost customers within the last 2 years because they failed to secure the online trust established by keys and NEARLY 2/3 OF BUSINESSES ADMIT TO LOSING CUSTOMERS certificates.
These businesses lost customers within the last 2 years because they failed to secure the online trust established by keys and certificates.
CRITICAL SYSTEMS FAILED
Globally an average of over 2 business systems per organization stopped working over the last 2 years due to certificate-related outages. App
EXPIRED
$ £ €
LOSING $15M GLOBAL PER OUTAGE
Security pros estimate this as the average impact per unplanned outage.
AUDITORS ARE CLAMPING DOWN
Over the last 2 years, every business has failed at least 1 SSL/TLS audit and at least 1 SSH audit.
SYMPTOMS OF LARGER SECURITY ISSUES
These certificate-related outages and failed audits reveal underlying security vulnerabilities—if you can’t manage your keys and certificates, you can’t secure and protect them.
Businesses rely on keys and certificates to provide private communications and authorize and authenticate access to online services. This dependence on keys and certificates establishes online trust, giving customers the confidence to conduct online business. As a result, keys and certificates are at the foundation of security that supports much of the world’s economy. When this trust is broken, businesses lose customers. Breaches can rack up millions in costs from incident response, settlements, legal fees, fines, and more. But one of the most damaging costs is customer churn—not only from those that were directly impacted by a breach, but also those that lose faith in the breached organization’s security. In this study, nearly two-thirds (59%) of respondents admitted to losing customers because they failed to secure the online trust established by keys and certificates. With increased awareness around identity theft, phishing, and other online threats to privacy and finances, businesses will lose customers if they cannot ensure safe online access.
When Trust Online Breaks SECURITY RISK DWARFS AVAILABILITY AND COMPLIANCE RISK
Total risk per organization over the next 2 years $7.2M Combined availability and compliance risk $53M Risk of attack using keys and certificates Risk = Probability of attack x total impact
$20M CRYPTOAPOCALYPSE IS THE BIGGEST SECURITY RISK
Share
4
Cryptoapocalypse: a discovered cryptographic weakness that becomes the ultimate weapon, allowing websites, the research payment transactions, stock trades, and governments to be spoofed or surveilled (term was coined by researchers presenting their findings at Black Hat 2013).2
In other Ponemon Institute research, lost business was one of three main contributors to the higher cost of data breaches in 2015—potentially resulting in the most costly impact following a breach. This loss of business included, “the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill.”6
cludes unpublished data from the survey conducted for the March 2015 Ponemon report, 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point.1
Damaging Impact: System Failure Organizations are increasing their reliance on digital certificates to enable SSL/TLS and for mobile, WiFi, and VPN access. And the proliferation of connected Internet of Things devices means more even more certificates. However, when these digital certificates expire they block access to servers, websites, and potentially dozens of critical downstream services. If these certificates are not properly managed, the resulting expirations create outages which lower productivity and, ultimately, cause brand damage, and lost revenue, profits, and customers.
CRITICAL SYSTEMS CRITICAL SYSTEMS FAILED FAILED Globally an average of over 2
Globally an average of over 2 business businesssystems systems per organization per organization stopped working the last 2 years duethe to certificatestoppedover working over last 2 related outages. to certificate-related customers years withindue the last 2 years because they
NEARLY 2/3 OF BUSINESSES ADMIT TO LOSING CUSTOMERS
hese businesses lost outages. by keys and certificates. ailed to secure the online trust established The threat of certificate-related outages is very real. The average organization has suffered more than 2 system failures due to certificate-related outages within the last 24 months. These outages are costing businesses millions. Security professionals estimated that the average cost of an unplanned certificate-related outage is $15 million.
When Trust Online Breaks
bally an average of over 2 iness systems per organization pped working over the last 2 rs due to certificate-related ages.
Secur averag
App
LOOSING AUDITORS ARE CLAMPIN $15 MILLION Over the last 2 years, every PER OUTAGE least 1 SSL/TLS audit and a Security pros estimate this as the average impact per unplanned outage.
Gartner estimates that there are 4.9 billion Internet of Things devices connected to the Internet in 2015 and this will grow to 25 billion devices by 2020.7 We have seen hacks of cars including Jeep,8 Telsa,9 and any General Motors vehicle equipped with OnStar using the RemoteLink app.10 However, as our reliance on the Internet of Things expands, we will need to ensure that our access to medical devices, airlines, traffic light systems, hotel rooms, industrial systems, and other critical devices and systems remains secure and available. App
TICAL SYSTEMS FAILED
LOSIN
SYMPTOMS $OF LARGER S
These certificate-related out EXPIRED £ underlying security vulnerab keys and certificates, you ca €
LOSING $15M GLOBAL PER OUTAGE
Security pros estimate this as the Share the research average impact per unplanned outage.
SECURITY RISK DWARFS
5
Damaging Impact: Failed Audit AUDITORS ARE CLAMPING DOWN
Over the last 2 years, every business has failed at least 1 SSL/TLS audit and at least 1 SSH audit.
Because keys and certificates are relied on so heavily for authentication, encryption, and assurance, standards— including regulatory, industry, and internal governance standards—dictate requirements for their proper usage. Keys and certificates are a great enabler of security, privacy, integrity, and access, but only when the right processes and technologies are applied. Audits of key and certificate usage provide an opportunity for organizations to assess how they enforce issuance, renewal, replacement, and authorization, allowing them to close security gaps and stop outages. However, organizations are finding that these standards require more than most can deliver. On average, organizations failed at least one SSL/TLS audit and at least one SSH audit within the last 24 months.
When Trust Online Breaks
With vulnerabilities like Heartbleed, POODLE, and Shellshock eroding the trust established by keys and certificates and outages costing millions, audit findings for key and certificate usage has taken on new significance. Some wellknown standards that address keys and certificates include the following: • SANS Critical Security Controls • ISO/IEC 27002-2013 • NIST 800-53 • PCI-DSS
• HITRUST Share the research
6
• And more…
AUDITORS ARE CLAMPING DOWN
Over the last 2 years, every business has failed at least 1 SSL/TLS audit and at least 1 SSH audit.
Security Risk Dominates
SYMPTOMS OF LARGER SECURITY ISSUES RISKreveal These certificate-related outagesSECURITY and failed audits underlying security vulnerabilities—if you can’t manage your DWARFS keys and certificates, you can’t secure and protect them. AVAILABILITY AND COMPLIANCE RISK With unprotected keys and certificates, organizations are faced with security, availability, and compliance related risks. However, these risks are not equal. The security risk from unprotected keys and certificates dwarfs those for availability and compliance. Security professionals estimate that, per organization, the combined risk for both key- and certificate-related availability and compliance issues is $7.2 million. This risk is the possible damage to an organization over the next two years (risk equals probability of occurrence times cost of total impact). Security risk, on the other hand, was estimated at $53 million—over 7 times as much. And this is up 51% from 2013 ($35 million).
TY RISK DWARFS BILITY AND COMPLIANCE RISK
Total risk per organization over the next 2 years $7.2M Combined availability and compliance risk $53M Risk of attack using keys and certificates
per organization over the next 2 years When Trust Online Breaks ombined Ofavailability and compliance the key and certificate attack types, risk a cryptoapocalypse carries the greatest isk of attack using keys security risk over the and next 2certificates years at
$20 million. sk = Probability of attack x total impact
Cryptoapocalypse: a discovered cryptographic weakness that becomes the ultimate weapon, allowing websites, payment transactions, stock trades, and governments to be spoofed or surveilled (term was coined by researchers presenting their findings at Black Hat 2013).11
$20M CRYPTOAPOCALYPSE SECURITY RISK UP 51% IS THE BIGGEST SECURITY RISK From 2013 ($35 Million)
Cryptoapocalypse: a discovered cryptographic weakness that becomes the ultimate weapon, allowing websites, payment transactions, stock trades, and governments to be spoofed or surveilled (term was coined by researchers 2 presenting their findings at BlackShare Hatthe 2013). research
7
epresented
ent
Why Trust 7% Is Breaking 7%
8%
Professional Consumer Services Products
Retail
54% LACK OF COMPANIES 5,000 or more employeesVISIBILITY
They how They don’tdon’t know howknow many keys and certificates they have, where they are used, many keys and orcertificates who owns them. they have, where they are used, or who owns them.
Why is trust online breaking and why are businesses failing? IT security teams lack the visibility and the policy enforcement to determine what’s trusted and what’s not. As was highlighted in the first 2015 Cost of Failed Trust Report, 54% of security professionals said they don’t know how many keys they have, where they are all located, or how they are used. This is up from 50% two years ago. However, most security analysts believe this number to be grossly underestimated.
54% LACK POLICY ENFORCEMENT AND REMEDIATION
Similarly, 54% said they lack policy enforcement and remediation for keys and certificates. With most security teams trying to manage keys and certificates with spreadsheets, it is impossible to conduct accurate tracking or to secure the entire key and certificate lifecycle. As the number of keys and certificates grows, the risks from unprotected keys and certificates will only get worse.
They can’t secure the e key and certificate lifecy
54% LACK POLICY AND FOR When Trust Online Breaks THEENFORCEMENT IMMUNE SYSTEM THE INTERNET™ REMEDIATIONneed to protect their keys and certificates with Organizations With Google prioritizing search results for sites using HTTPS12 and organizations considering an Encrypt Everything approach,13 the drive to activate and expand encryption is gaining support from all types of businesses. With the average organization already using at least 23,922 keys and certificates, managing the deployment of even more will prove challenging for most organizations.
an immune system for the cyber realm:
• Constantly assess which keys and certificates are trusted They can’t entire They can’t secure thesecure entire that keythe andshould • Protect those be trusted key lifecycle. and certificate lifecycle. certificate • Fix or block those that are not
ACTION PLAN
Share the research
THE8INTERNET™ 1 Know what’s being used:
3 Always know what’s trusted,
Conclusion: Businesses Are Failing Unprotected keys and certificates are jeopardizing the digital trust which underpins the world’s economy. With a lack of visibility, policy enforcement, and remediation, unprotected keys and certificates are causing a loss of customers, system outages, and audit failures. Protecting keys and certificates must become a priority or businesses will continue to fail. What is needed to secure keys and certificates and regain online trust? Organizations need to initiate processes and technologies that allow them to gain complete visibility into their key and certificate inventory and apply policies that comply with regulatory, industry, and internal governance standards—to avoid both outages and compromise. With this visibility, businesses must then be able to assess the trustworthiness of keys and certificates. When deemed untrustworthy, they must be able to remediate quickly to preserve their business and brand. Many of these processes should be automated, enabling keys and certificates to support dynamic technologies and innovation.
ACTION PLAN 1. Know what’s being used: find all keys and certificates 2. Establish what should be trusted: enforce policy, automate security 3. Always know what’s trusted, what’s not: continuously monitor, check reputation for all 4. Remediate what’s not trusted: fix and replace vulnerable keys and certificates
Biological systems have immune systems that identify what is self, good, and trusted. Similarly, the Internet uses keys and certificates for identification. However, there has not been an immune system for the cyber realm to indicate which keys and certificates should be trusted and which should not. The insights from this study provide further evidence into how fragile the Internet system of trust is and how important it is for businesses to have an immune system for the cyber realm to secure keys and certificates.
Share the research
9
About Ponemon Institute Ponemon Institute conducts independent research on privacy, data protection and information security policy. Our goal is to enable organizations in both the private and public sectors to have a clearer understanding of the trends in practices, perceptions and potential threats that will affect the collection, management and safeguarding of personal and confidential information about individuals and organizations. Ponemon Institute research informs organizations on how to improve upon their data protection initiatives and enhance their brand and reputation as a trusted enterprise. You can learn more by visiting Ponemon.org.
About Venafi Venafi is the Immune System for the Internet™ that protects the foundation of all cybersecurity—keys and certificates— so they can’t be misused by bad guys in attacks. Venafi constantly assesses which keys and certificates are trusted, protects those that should be trusted, and fixes or blocks those that are not. Copyright © 2015 Venafi, Inc. All rights reserved. Venafi, Inc. Part number: 1-0049-0915
References 1. Ponemon Institute. 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point. 2015. 2. Davek. TrustedSec. CHS Hacked via Heartbleed Vulnerability. August 19, 2014.
3. Ragan, Steve. CSO. Report: Sony Pictures Facing Full Network Compromise. November 24, 2014.
4. Wall Street Journal. J.P. Morgan Says About 76 Million Households Affected By Cyber Breach. October 2, 2014. 5. Krebs, Brian. KrebsonSecurity. Anthem Breach May Have Started in April 2014. February 9, 2015. 6. Ponemon Institute. 2015 Cost of Data Breach Study: Global Analysis. May 2015.
7. Gartner. Press Release. Gartner Says 4.9 Billion Connected “Things” Will Be in Use in 2015. November 11, 2014. 8. Greenberg, Andy. WIRED. Hackers Remotely Kill a Jeep on the Highway—with Me in It. July 21, 2015.
9. Zetter, Kim. WIRED. Researchers Hacked a Model S, But Tesla’s Already Released a Patch. August 6, 2015.
10. Greenberg, Andy. WIRED. This Gadget Hacks GM Cars to Locate, Unlock, and Start Them (UPDATED). July 30, 2015. 11. Stamos, Alex, et al. Black Hat USA 2013. Preparing for the Cryptopocalypse. July 2013.
12. Ait Bahajji, Zineb and Illyes, Gary. Google Online Security Blog. HTTPS as a Ranking Signal. August 6, 2014. 13. Finley, Klint. WIRED. It’s Time to Encrypt the Entire Internet. April 17, 2014.
Share the research
10
