Ponemon 2015 Cost of Failed Trust Report: When Trust Online

2015 Cost of Failed Trust Report:
When Trust Online
Breaks, Businesses
Lose Customers
This is the second part of the Ponemon
Institute’s 2015 Cost of Failed Trust Report,
which reveals the damaging impacts on global
business from unprotected cryptographic keys
and digital certificates. This new report reveals
that most companies lose customers, suffer
costly outages, fail audits, and experience
breaches due to unprotected and poorly
managed keys and certificates.
Underwritten by Venafi
Executive Summary
In March 2015, the Ponemon Institute
and Venafi published research on the
risks global business face from attacks on
the Internet system of trust established
by cryptographic keys and digital
certificates.1 Consensus among the over
2,300 participants in Australia, France,
Germany, UK, and US was that the system
of trust was at the breaking point.
Analysis of previously unpublished
data provides additional insights into
the importance of securing keys and
certificates in business today. Much of
the world’s economy depends on the
Internet, and keys and certificates are
the foundation of online security. They
secure communications and provide
authorization and authentication.
Global enterprises depend on the trust,
privacy, and integrity established by
keys and certificates.
There are numerous consequences
when this foundation isn’t safeguarded.
This second part of the 2015 Cost of
Failed Trust Report, looks at how the
failure to secure and manage keys
and certificates is adversely impacting
today’s businesses, and quantifies the
direct financial impacts.
• Unsecured keys and certificates
are damaging businesses: Nearly
two-thirds of respondents (59%)
admitted to losing customers because
they failed to secure the online trust
established by keys and certificates.
In addition, business systems are
failing with an average of over 2
certificate-related unplanned outages
per organization over the last 2
years, with an average cost of $15
million per outage. Not surprisingly,
businesses also failed one or more
SSL/TLS and SSH audits during that
same time period.
• The risk continues—at great cost:
Our reliance on keys and certificates
continues to grow with their
increased use for SSL/TLS as well as
mobile, WiFi, and VPN access, and
the explosion of Internet of Things
(IoT) devices. This increased reliance
goes hand in hand with increased
availability, compliance, and security
risks. However, the amount of risk
is not equal across these areas—
security risk at $53 million over the
next 2 years dwarfs availability and
compliance risk, which totals $7.2
million.
• Challenges must be addressed:
Over half (54%) admitted to a lack
of visibility and a lack of policy
enforcement and remediation for
keys and certificates. Organizations
must address these challenges which
underlie the security, availability, and
compliance risks caused by unsecure
keys and certificates.
Share the research
2
AVAILABILITY AND
COMPLIANCE
RISK DOWN
AUDITORS
ARE CLAMPING
Total risk per organization
next 2every
years business has failed at
Over theover
lastthe
2 years,
$7.2M Combinedleast
availability
and compliance
1 SSL/TLS
audit and risk
at least 1 SSH audit.
$53M Risk of attack using keys and certificates
Risk = Probability of attack x total impact
SYMPTOMS OF LARGER SECURITY ISSUES
These certificate-related
outages and failed audits reveal
$20M
CRYPTOAPOCALYPSE
underlying security vulnerabilities—if you can’t manage your
IS
THEandBIGGEST
SECURITY
RISK
keys
certificates,
you can’t
secure and protect them.
Global Demographics: All Suffer Losses
Cryptoapocalypse: a discovered cryptographic weakness
that becomes the ultimate weapon, allowing websites,
payment transactions, stock trades, and governments to
be spoofed or surveilled (term was coined by researchers
presenting their findings at Black Hat 2013).2
This report includes unpublished data
from the survey conducted for the March
2015 Ponemon report, 2015 Cost of
Failed Trust Report: Trust Online is at
the Breaking Point.1 The 2015 research
survey was completed by 2,394 IT
security professionals around the globe:
646 U.S., 499 U.K., 574 German, 339
French, and 336 Australian respondents.
The quantity and geographic breadth of
the respondents shows that businesses
around the globe are suffering the
damaging impacts of unsecured keys
and certificates.
Most respondents were from large
enterprises with 59% from organizations
with 5,000 or more employees. For
the respondents’ roles, 42% were
Administrators, 37% Managers to
Supervisors, 17% Executive VP to
Director, and 4% other. The largest
verticals represented were financial
services (17%), government (11%),
professional services (8%), consumer
products (7%), and retail (7%).
SECURITY RISK DWARFS
AVAILABILITY
2,394AND COMPLIANCE RISK
Total risk per organization over the next 2 years
$7.2M Combined availability and compliance risk
$53M Risk of attack using keys and certificates
IT Security
Professionals
Risk = Probability of attack
x total impact
RESPONDENTS
IT SECURITY2,394PROFESSIONALS
Germany
499
646$20M CRYPTOAPOCALYPSE
574
IS THE BIGGEST SECURITY RISK
Cryptoapocalypse: a discovered cryptographic weakness
that becomes the ultimate weapon, allowing websites,
Australia
payment transactions,
stock trades, and governments
to
France
be spoofed or surveilled
(term was coined by336
researchers
339
presenting their findings at Black Hat 2013).2
TOP 5 INDUSTRIES
Represented
2,394 RESPONDENTS
59%17%
11%
OF COMPANIES
499
646
IT Security Professionals
We all have seen Global 2000 businesses
in the headlines for breaches that
leveraged keys and certificates. This has
included Community Health Systems
(CHS), that had data stolen on 4.5
million patients using the Heartbleed
vulnerability;2 Sony Entertainment, which
had SSH keys stolen;3 JPMorgan Chase,
which had a certificate compromised and
90 of its servers breached; and Anthem,
which had information on as many as 80
million people compromised.5
UK
United States
8%Germany
574
Have 5,000 or more employees
Financial
Services
Government
7%
Professional Consumer
Services
Products
7%
Retail
France
59% OF
339COMPANIES
TOP 5
INDUSTRIES
Australia
336
Have 5,000 or more employees
Represented
When Trust Online Breaks
UK
United States
TOP 5 INDUSTRIES
Represented
17%
11%
54%
LACK
VISIBILITY
Financial
Government
8%
7% POLICY7%
54% LACK
ENFORCEMENT AND
REMEDIATION Retail
Professional Consumer
They don’t
know how
Services
Services
Products
many keys and
certificates they have,
where they are used, or
They can’t secure the entire
who owns them.
Have 5,000 or more
keyemployees
and certificate lifecycle.
59% OF COMPANIES
THE IMMUNE SYSTEM FOR THE INTERNET™
Organizations need to protect their keys and certificates with
Share
an
immunethe
systemresearch
for the cyber realm:
• Constantly assess which keys and certificates are trusted
• Protect those that should be trusted
• Fix or block those that are not
54%
LACK
VISIBILITY
ACTION PLAN
54% LACK POLICY
ENFORCEMENT AND
REMEDIATION
3
Damaging
Impact:
Customers
Lost
WHEN TRUST ONLINE BREAKS,
BUSINESSES LOSE CUSTOMERS
The damaging impacts on global business from
unprotected cryptographic keys and digital certificates
NEARLY 2/3 OF BUSINESSES
ADMIT TO LOSING CUSTOMERS
Includes unpublished data from the survey conducted for the March 2015 Ponemon
report, 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point.1
These businesses lost customers within the
last 2 years because they failed to secure
the online trust established by keys and
NEARLY 2/3 OF BUSINESSES ADMIT TO LOSING CUSTOMERS
certificates.
These businesses lost customers within the last 2 years because they
failed to secure the online trust established by keys and certificates.
CRITICAL SYSTEMS FAILED
Globally an average of over 2
business systems per organization
stopped working over the last 2
years due to certificate-related
outages.
App
EXPIRED
$
£
€
LOSING $15M GLOBAL PER OUTAGE
Security pros estimate this as the
average impact per unplanned outage.
AUDITORS ARE CLAMPING DOWN
Over the last 2 years, every business has failed at
least 1 SSL/TLS audit and at least 1 SSH audit.
SYMPTOMS OF LARGER SECURITY ISSUES
These certificate-related outages and failed audits reveal
underlying security vulnerabilities—if you can’t manage your
keys and certificates, you can’t secure and protect them.
Businesses rely on keys and certificates
to provide private communications and
authorize and authenticate access to
online services. This dependence on
keys and certificates establishes online
trust, giving customers the confidence
to conduct online business. As a
result, keys and certificates are at the
foundation of security that supports
much of the world’s economy.
When this trust is broken, businesses
lose customers. Breaches can rack up
millions in costs from incident response,
settlements, legal fees, fines, and more.
But one of the most damaging costs is
customer churn—not only from those
that were directly impacted by a breach,
but also those that lose faith in the
breached organization’s security.
In this study, nearly two-thirds (59%) of
respondents admitted to losing customers
because they failed to secure the online
trust established by keys and certificates.
With increased awareness around identity
theft, phishing, and other online threats
to privacy and finances, businesses will
lose customers if they cannot ensure safe
online access.
When Trust Online Breaks
SECURITY RISK DWARFS
AVAILABILITY AND COMPLIANCE RISK
Total risk per organization over the next 2 years
$7.2M Combined availability and compliance risk
$53M Risk of attack using keys and certificates
Risk = Probability of attack x total impact
$20M CRYPTOAPOCALYPSE
IS THE BIGGEST SECURITY RISK
Share
4
Cryptoapocalypse: a discovered cryptographic weakness
that becomes the ultimate weapon, allowing websites,
the
research
payment
transactions, stock trades, and governments to
be spoofed or surveilled (term was coined by researchers
presenting their findings at Black Hat 2013).2
In other Ponemon Institute research,
lost business was one of three main
contributors to the higher cost of data
breaches in 2015—potentially resulting
in the most costly impact following a
breach. This loss of business included,
“the abnormal turnover of customers,
increased customer acquisition activities,
reputation losses and diminished
goodwill.”6
cludes unpublished data from the survey conducted for the March 2015 Ponemon
report, 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point.1
Damaging Impact: System Failure
Organizations are increasing their
reliance on digital certificates to enable
SSL/TLS and for mobile, WiFi, and
VPN access. And the proliferation of
connected Internet of Things devices
means more even more certificates.
However, when these digital certificates
expire they block access to servers,
websites, and potentially dozens of
critical downstream services. If these
certificates are not properly managed,
the resulting expirations create outages
which lower productivity and, ultimately,
cause brand damage, and lost revenue,
profits, and customers.
CRITICAL SYSTEMS
CRITICAL
SYSTEMS FAILED
FAILED
Globally an average of over 2
Globally an average of over 2 business
businesssystems
systems
per organization
per organization
stopped working
the last 2 years
duethe
to certificatestoppedover
working
over
last 2
related
outages.
to
certificate-related
customers years
withindue
the
last
2 years because they
NEARLY 2/3 OF BUSINESSES ADMIT TO LOSING CUSTOMERS
hese businesses lost
outages. by keys and certificates.
ailed to secure the online trust established
The threat of certificate-related outages
is very real. The average organization
has suffered more than 2 system failures
due to certificate-related outages within
the last 24 months. These outages are
costing businesses millions. Security
professionals estimated that the average
cost of an unplanned certificate-related
outage is $15 million.
When Trust Online Breaks
bally an average of over 2
iness systems per organization
pped working over the last 2
rs due to certificate-related
ages.
Secur
averag
App
LOOSING
AUDITORS
ARE
CLAMPIN
$15 MILLION
Over the last 2 years, every
PER OUTAGE
least 1 SSL/TLS audit and a
Security pros estimate this as the average
impact per unplanned outage.
Gartner estimates that there are 4.9
billion Internet of Things devices
connected to the Internet in 2015 and
this will grow to 25 billion devices by
2020.7 We have seen hacks of cars
including Jeep,8 Telsa,9 and any General
Motors vehicle equipped with OnStar
using the RemoteLink app.10 However,
as our reliance on the Internet of Things
expands, we will need to ensure that our
access to medical devices, airlines, traffic
light systems, hotel rooms, industrial
systems, and other critical devices and
systems remains secure and available.
App
TICAL SYSTEMS FAILED
LOSIN
SYMPTOMS $OF LARGER S
These
certificate-related out
EXPIRED
£
underlying security vulnerab
keys and certificates,
you ca
€
LOSING $15M GLOBAL PER OUTAGE
Security pros estimate this as the
Share the research
average
impact per unplanned outage.
SECURITY RISK DWARFS
5
Damaging Impact: Failed Audit
AUDITORS ARE
CLAMPING DOWN
Over the last 2 years, every business has
failed at least 1 SSL/TLS audit and at least 1 SSH audit.
Because keys and certificates are
relied on so heavily for authentication,
encryption, and assurance, standards—
including regulatory, industry, and
internal governance standards—dictate
requirements for their proper usage.
Keys and certificates are a great enabler
of security, privacy, integrity, and access,
but only when the right processes and
technologies are applied.
Audits of key and certificate usage
provide an opportunity for organizations
to assess how they enforce issuance,
renewal, replacement, and authorization,
allowing them to close security gaps and
stop outages. However, organizations
are finding that these standards require
more than most can deliver. On average,
organizations failed at least one SSL/TLS
audit and at least one SSH audit within
the last 24 months.
When Trust Online Breaks
With vulnerabilities like Heartbleed,
POODLE, and Shellshock eroding the
trust established by keys and certificates
and outages costing millions, audit
findings for key and certificate usage has
taken on new significance. Some wellknown standards that address keys and
certificates include the following:
• SANS Critical Security Controls
• ISO/IEC 27002-2013
• NIST 800-53
• PCI-DSS
• HITRUST
Share the research
6
• And more…
AUDITORS ARE CLAMPING DOWN
Over the last 2 years, every business has failed at
least 1 SSL/TLS audit and at least 1 SSH audit.
Security Risk Dominates
SYMPTOMS OF LARGER SECURITY
ISSUES
RISKreveal
These certificate-related outagesSECURITY
and failed audits
underlying security vulnerabilities—if
you can’t manage your
DWARFS
keys and certificates, you can’t secure and protect them.
AVAILABILITY AND
COMPLIANCE RISK
With unprotected keys and certificates,
organizations are faced with security,
availability, and compliance related risks.
However, these risks are not equal. The
security risk from unprotected keys and
certificates dwarfs those for availability
and compliance.
Security professionals estimate that, per
organization, the combined risk for both
key- and certificate-related availability
and compliance issues is $7.2 million.
This risk is the possible damage to an
organization over the next two years
(risk equals probability of occurrence
times cost of total impact). Security risk,
on the other hand, was estimated at $53
million—over 7 times as much. And this
is up 51% from 2013 ($35 million).
TY RISK DWARFS
BILITY AND COMPLIANCE RISK
Total risk per organization over the next 2 years
$7.2M Combined availability and compliance risk
$53M Risk of attack using keys and certificates
per organization over the next 2 years
When Trust Online Breaks
ombined Ofavailability
and compliance
the key and certificate
attack types, risk
a cryptoapocalypse carries the greatest
isk of attack
using
keys
security
risk over
the and
next 2certificates
years at
$20 million.
sk = Probability
of attack x total impact
Cryptoapocalypse: a discovered
cryptographic weakness that becomes
the ultimate weapon, allowing websites,
payment transactions, stock trades, and
governments to be spoofed or surveilled
(term was coined by researchers
presenting their findings at Black Hat 2013).11
$20M CRYPTOAPOCALYPSE SECURITY RISK
UP 51%
IS THE BIGGEST SECURITY RISK
From 2013 ($35 Million)
Cryptoapocalypse: a discovered cryptographic weakness
that becomes the ultimate weapon, allowing websites,
payment transactions, stock trades, and governments to
be spoofed or surveilled (term was coined by researchers
2
presenting their findings at BlackShare
Hatthe
2013).
research
7
epresented
ent
Why Trust
7% Is Breaking
7%
8%
Professional Consumer
Services
Products
Retail
54%
LACK
OF COMPANIES
5,000 or more employeesVISIBILITY
They
how
They
don’tdon’t
know howknow
many keys
and
certificates
they have,
where they are used,
many keys
and
orcertificates
who owns them. they have,
where they are used, or
who owns them.
Why is trust online breaking and why are
businesses failing? IT security teams lack
the visibility and the policy enforcement
to determine what’s trusted and what’s
not. As was highlighted in the first
2015 Cost of Failed Trust Report, 54%
of security professionals said they don’t
know how many keys they have, where
they are all located, or how they are
used. This is up from 50% two years
ago. However, most security analysts
believe this number to be grossly
underestimated.
54% LACK POLICY
ENFORCEMENT AND
REMEDIATION
Similarly, 54% said they lack policy
enforcement and remediation for keys
and certificates. With most security
teams trying to manage keys and
certificates with spreadsheets, it is
impossible to conduct accurate tracking
or to secure the entire key and certificate
lifecycle. As the number of keys and
certificates grows, the risks from
unprotected keys and certificates will
only get worse.
They can’t secure the e
key and certificate lifecy
54% LACK POLICY
AND FOR When
Trust Online Breaks
THEENFORCEMENT
IMMUNE
SYSTEM
THE
INTERNET™
REMEDIATIONneed to protect their keys and certificates with
Organizations
With Google prioritizing search
results for sites using HTTPS12 and
organizations considering an Encrypt
Everything approach,13 the drive
to activate and expand encryption
is gaining support from all types
of businesses. With the average
organization already using at least
23,922 keys and certificates, managing
the deployment of even more will prove
challenging for most organizations.
an immune system for the cyber realm:
• Constantly assess which keys and certificates are trusted
They
can’t
entire
They
can’t
secure
thesecure
entire that
keythe
andshould
• Protect
those
be trusted
key lifecycle.
and certificate lifecycle.
certificate
• Fix or block those that are not
ACTION PLAN
Share the research
THE8INTERNET™
1 Know what’s being used:
3 Always know what’s trusted,
Conclusion: Businesses Are Failing
Unprotected keys and certificates are
jeopardizing the digital trust which
underpins the world’s economy. With
a lack of visibility, policy enforcement,
and remediation, unprotected keys
and certificates are causing a loss of
customers, system outages, and audit
failures. Protecting keys and certificates
must become a priority or businesses will
continue to fail.
What is needed to secure keys and
certificates and regain online trust?
Organizations need to initiate processes
and technologies that allow them to gain
complete visibility into their key and
certificate inventory and apply policies
that comply with regulatory, industry, and
internal governance standards—to avoid
both outages and compromise. With this
visibility, businesses must then be able
to assess the trustworthiness of keys and
certificates. When deemed untrustworthy,
they must be able to remediate quickly to
preserve their business and brand. Many
of these processes should be automated,
enabling keys and certificates to support
dynamic technologies and innovation.
ACTION PLAN
1. Know what’s being used: find all keys and
certificates
2. Establish what should be trusted: enforce
policy, automate security
3. Always know what’s trusted, what’s not:
continuously monitor, check reputation for all
4. Remediate what’s not trusted: fix and
replace vulnerable keys and certificates
Biological systems have immune systems
that identify what is self, good, and
trusted. Similarly, the Internet uses
keys and certificates for identification.
However, there has not been an immune
system for the cyber realm to indicate
which keys and certificates should be
trusted and which should not.
The insights from this study provide
further evidence into how fragile the
Internet system of trust is and how
important it is for businesses to have an
immune system for the cyber realm to
secure keys and certificates.
Share the research
9
About Ponemon Institute
Ponemon Institute conducts independent
research on privacy, data protection
and information security policy. Our
goal is to enable organizations in both
the private and public sectors to have
a clearer understanding of the trends
in practices, perceptions and potential
threats that will affect the collection,
management and safeguarding of
personal and confidential information
about individuals and organizations.
Ponemon Institute research informs
organizations on how to improve upon
their data protection initiatives and
enhance their brand and reputation as a
trusted enterprise. You can learn more
by visiting Ponemon.org.
About Venafi
Venafi is the Immune System for the
Internet™ that protects the foundation of
all cybersecurity—keys and certificates—
so they can’t be misused by bad guys
in attacks. Venafi constantly assesses
which keys and certificates are trusted,
protects those that should be trusted,
and fixes or blocks those that are not.
Copyright © 2015 Venafi, Inc. All rights reserved. Venafi, Inc.
Part number: 1-0049-0915
References
1. Ponemon Institute. 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point. 2015.
2. Davek. TrustedSec. CHS Hacked via Heartbleed Vulnerability. August 19, 2014.
3. Ragan, Steve. CSO. Report: Sony Pictures Facing Full Network Compromise. November 24, 2014.
4. Wall Street Journal. J.P. Morgan Says About 76 Million Households Affected By Cyber Breach. October 2, 2014.
5. Krebs, Brian. KrebsonSecurity. Anthem Breach May Have Started in April 2014. February 9, 2015.
6. Ponemon Institute. 2015 Cost of Data Breach Study: Global Analysis. May 2015.
7. Gartner. Press Release. Gartner Says 4.9 Billion Connected “Things” Will Be in Use in 2015. November 11, 2014.
8. Greenberg, Andy. WIRED. Hackers Remotely Kill a Jeep on the Highway—with Me in It. July 21, 2015.
9. Zetter, Kim. WIRED. Researchers Hacked a Model S, But Tesla’s Already Released a Patch. August 6, 2015.
10.Greenberg, Andy. WIRED. This Gadget Hacks GM Cars to Locate, Unlock, and Start Them (UPDATED). July 30, 2015.
11.Stamos, Alex, et al. Black Hat USA 2013. Preparing for the Cryptopocalypse. July 2013.
12.Ait Bahajji, Zineb and Illyes, Gary. Google Online Security Blog. HTTPS as a Ranking Signal. August 6, 2014.
13.Finley, Klint. WIRED. It’s Time to Encrypt the Entire Internet. April 17, 2014.
Share the research
10