Businesses do not get the concept of certificate management and there is a lack of trust between users, according to Venafi.
According to its report, produced in conjunction with the Ponemon Institute, ‘trust-based' attacks can cost an organisation £260 million every two years. The survey of 2,342 Global 2000 enterprises found that attacks on trusted certificate authorities (CAs) average £47.7 million per incident, while all enterprises surveyed suffered at least one attack on trust due to failed key and certificate management.
Jeff Hudson, CEO of Venafi, said: “Cyber criminals understand how fragile our ability to control trust has become and, as a result, they continue to target failed key and certificate management.
“These exploits wreak havoc by causing unplanned outages, productivity loss, brand damage and data breaches. Until today the financial impact, the extent of the challenges, and the industry's recognition of these compromises remained largely unquantified.”
Speaking to SC Magazine, Hudson said that most people do not get the concept of trust online. “If you recognise someone in the street you trust that it is them, or you get how you trust a lock on the door, but why do you trust online? With SSL and certificates it is not easy,” he said.
“Businesses are not attacked on the server or on the router, but on trust. We say 'stop using it' but it is hard to get people to stop and look. Trust is the number one vulnerability and the number one element is the SSH key.”
Hudson said that 51 per cent of respondents did know where their certificates or keys were, and by putting them in the cloud to get rid of an internal device process, you are putting them into someone else's hands and have no control over them.
“Certificates are vulnerable, look at DigiNotar, they got attacked but they didn't know about it. This is a huge issue and why you have to pay attention to certificates.
“Look at Flame, it started with a compromised digital certificate. The management of stuff measures up, we are just so blocked by technology that we don't stop to think of the next level.
“If you do a good job of key management, you solve the problem of management of keys but it will not address the whole problem. A key can be meaningless. We see everything measured to the state of encryption so [this is] the only way to ensure that the device will not be compromised. By not addressing this, it will cost companies money.”
The report found that respondents estimate they have on average 17,807 keys and certificates, and 59 per cent believe that proper key and certificate management can help them regain control over trust and avoid these risks.
Larry Ponemon, chairman and founder of Ponemon Institute Research, said: “In partnering with Venafi, we set out to answer for the first time one of the most sought after questions in information security and compliance: what are the precise financial consequences of failed trust from malicious attacks that exploit cryptographic key and certificate management failures?
“We rely on keys and certificates to provide the bedrock of trust for all business and government activities, online and in the cloud. This new research not only allows us to quantify the cost of these trust exploits, but also gives insight into how enterprise failures in key and certificate management open the door to criminals.”