Ponemon Report: When Trust Online Breaks, Businesses Lose Customers
1. WHEN TRUST ONLINE BREAKS,
BUSINESSES LOSE CUSTOMERS
The damaging impacts on global business from
unprotected cryptographic keys and digital certificates
Includes unpublished data from the survey conducted for the March 2015 Ponemon
report, 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point.
1. Ponemon Institute. 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point. 2015.
1
2. NEARLY 2/3 OF BUSINESSES ADMIT TO LOSING CUSTOMERS
These businesses lost customers within the last 2 years because they
failed to secure the online trust established by keys and certificates.
UNPROTECTED KEYS AND CERTIFICATES
HAVE SEVERE IMPACTS ON BUSINESS
3. CRITICAL SYSTEMS FAILED
Globally an average of over 2
business systems per organization
stopped working over the last 2
years due to certificate-related
outages. LOSING$15MGLOBALPEROUTAGE
Security pros estimate this as the
average impact per unplanned outage.
App
£
$
€
EXPIRED
UNPROTECTED KEYS AND CERTIFICATES
HAVE SEVERE IMPACTS ON BUSINESS
4. AUDITORS ARE CLAMPING DOWN
Over the last 2 years, every business has failed at
least 1 SSL/TLS audit and at least 1 SSH audit.
SYMPTOMS OF LARGER SECURITY ISSUES
These certificate-related outages and failed audits reveal
underlying security vulnerabilities—if you can’t manage your
keys and certificates, you can’t secure and protect them.
UNPROTECTED KEYS AND CERTIFICATES
HAVE SEVERE IMPACTS ON BUSINESS
5. SECURITY RISK DWARFS
AVAILABILITY AND COMPLIANCE RISK
Total risk per organization over the next 2 years
$7.2M Combined availability and compliance risk
$53M Risk of attack using keys and certificates
Risk = Probability of attack x total impact
WHAT’S THE RESULT?
6. 2. Stamos, Alex, et al. Blackhat USA 2013. Preparing for the Cryptopocalypse. July 2013.
$20M CRYPTOAPOCALYPSE
IS THE BIGGEST SECURITY RISK
Cryptoapocalypse: a discovered cryptographic weakness
that becomes the ultimate weapon, allowing websites,
payment transactions, stock trades, and governments to
be spoofed or surveilled (term was coined by researchers
presenting their findings at Black Hat 2013).2
WHAT’S THE RESULT?
7. 2,394 RESPONDENTS
IT Security Professionals
Australia
336France
339
Germany
574
UK
499
United States
646
WHO DID WE ASK?
9. 1. Stamos, Alex, et al. Blackhat USA 2013. Preparing for the Cryptopocalypse. July 2013.
They don’t know how
many keys and
certificates they have,
where they are used, or
who owns them.
54% LACK POLICY
ENFORCEMENT AND
REMEDIATION
They can’t secure the entire
key and certificate lifecycle.
54%
LACK
VISIBILITY
COMMON CHALLENGES THAT LEAD TO
UNPROTECTED KEYS AND CERTIFICATES
10. THE IMMUNE SYSTEM FOR THE INTERNET™
Organizations need to protect their keys and certificates with
an immune system for the cyber realm:
• Constantly assess which keys and certificates are trusted
• Protect those that should be trusted
• Fix or block those that are not
HOW BUSINESSES REDUCE THESE RISKS
11. Know what’s being used:
find all keys and certificates.
Establish what should be
trusted: enforce policy,
automate security.
1
2
Always know what’s trusted,
what’s not: continuously monitor,
check reputation for all.
Remediate what’s not trusted: fix
and replace vulnerable keys and
certificates.
3
4
ACTION PLAN
HOW BUSINESSES REDUCE THESE RISKS
12. Secure the trust established by keys and certificates.
Find out more in the report, 2015 Cost of Failed Trust Report:
When Trust Online Breaks, Businesses Lose Customers.
Venafi.com/BrokenTrust
Contact Venafi to discover your risk exposure.
Venafi.com/contact
Unprotected keys and certificates are jeopardizing the
digital trust which underpins most of the world’s economy: