Every Global 2000 enterprise faces a total exposure of almost U.S. $400 million over 24 months due to new and evolving attacks on failed cryptographic key and digital certificate management. And adjusting for probability established by survey participants, we found every enterprise risks losing $35 million.
This findings cap our First Annual Cost of Failed Trust Report: Trusts and Attacks, which quantifies, for the first time, the financial impact of impact of new threats and attacks on our ability to control trust.
I’ve worked at the forefront of IT security research for years, but the numbers still stunned me. The audited results from 2,234 respondents in five countries clearly show the very real impact of a whole new set of exploits can have on enterprises. This level of risk demands immediate attention and remediation. Especially since every respondent reported their organization has already been the victim of at least one of these exploits.
I don’t just want to knock you out of your chair with these numbers—even though I almost fell out of mine—I want you to understand what they really mean. With that goal in mind, let’s take a closer look into the data and methodologies we used to produce the report.
How we obtained the numbers
We began our data collection using many of the same practices that we have applied over years of research. We created a large sample, drawing data from 2,342 mostly Global 2000 enterprises in five geographic regions and 16 vertical industries. We requested IT security professionals, experienced in the field.
Well aware that we were breaking new ground, I paid careful attention to the methodology, selecting the expected value approach as the most appropriate. This well-established, risk based approach helps you assess how much you can expect to lose from incidents that have wide-ranging, hard-to-pin-down effects and also occur at unknown intervals.
Here’s the formula:
Total Exposure x Likelihood of Occurrence = Expected Exposure
You can think of the costs that your business incurs as the result of a series of bets. The total exposure is the size of the bet—how much you stand to lose, in terms of operational costs, productivity, revenue and reputation, if an issue occurs. The odds of the game correspond to the likelihood of that issue actually occurring, which depends in no small part on how well you manage your assets. The expected exposure indicates how much you can expect to lose on average.
Take an example from the report: you’re a Global 2000 enterprise betting $125 million, the potential total impact from the attack, that a hacker won’t exploit a key that uses weak legacy encryption. The likelihood that you’re wrong is 18% - the percentage of respondents who believe in the next two years their organization will be impacted by this attack. As long as you keep playing that game with those odds, you’re going to lose about $22.5 million. Of course, you could be lucky and lose less—or unlucky and lose more.
That’s the quick look at the methodology. If you interested in the details, dive in here.
What the numbers mean for you
I hope that this insight into our methodology helps you to understand the Cost of Failed TrustReport and better put it to use.
Now consider your own organization. Are you among the 51% of respondents who don’t know how many keys and certificates they have or where they’re used? If you are, our research shows there’s on average over 17,000 keys and certificates in your infrastructure and cloud services. Not knowing will greatly impact your risk and likelihood of being a victim of exploits on key and certificate management.
Earlier, I compared the risk of incurring costs due to failed trust to placing a bet. Unlike at Vegas, though, you can’t change the size of the bet—that’s fixed by the crucial service that the keys and certificates provide and the impact of what losing control over the trust they establish can have. You can only change the odds.
So we might find a more productive analogy in an asteroid hitting the earth, as we were so recently reminded could happen. We can’t change the devastating consequences of such an event. But we can change the likelihood by tracking asteroids and changing their path well before disaster strikes. Similarly, you can change the odds of losing control of trust, and thus minimize your likely losses, actively managing your keys and certificates in the enterprise, on mobile devices, and out in the cloud.
A deeper dive into the methodology
For those readers who want to learn even more, I’ve put together a deeper look at how we created real-world scenarios and then assessed the costs and likelihood for each.
A quantitative risk assessment requires concrete incidents. For this report, we examined four very real scenarios related to attacks on key and certificate management, such as a phishing attacks using a certificate signed by a compromised certificate authority (CA). The survey presented generalized scenarios; however, every scenario was rooted in an incident that has actually occurred.
Exposure, or incident cost, assessment
Assessing the impact of new and emerging attacks isn’t easy, however, the expected value methodology gave us a time-proven, risk-based technique.
Survey respondents reported a range of expected costs over 24 months for each type of incident. We judged 24 months as the most reasonable time frame for covering most of the long-standing effects while still ensuring that costs could be traced back to the incident.
We wanted respondents to think in concrete, real-world terms, so we provided specific cost categories, for which enterprises often already have assessment methods:
· Incidence response such as the costs of finding and remediating the issue
· Lost productivity due to unavailable services or lost data
· Lost revenue due to unavailable services or lost data
· Brand and reputational damage due to high-profile outages or attacks
The respondents’ answers did align with what I know about keys and certificates. No important data can—or should—be transmitted without keys and certificate being involved to ensure its privacy, integrity and authenticity. We should expect, as clearly many IT security professionals are expecting, a staggering cost to losing control of them.
Whether an individual enterprise will actually suffer the costs reported depend on whether it is unlucky enough for the incident to occur. The question is: just how unlucky does it have to be?
To answer that question, we continued with the expected value approach. Looking at each scenario separately, respondents assessed the likelihood of at least such one incident occurring at their enterprise over 24 months. They then assigned the scenario a likelihood between 0 and 10, which we converted to percentages.
Although some of the expected likelihoods might seem startlingly high, other survey data support the outcomes. Fully 51% of the respondents admitted that they do not know precisely how many keys and certificates they have. These are IT security professionals with a vested interest in overestimating their knowledge and control over these assets. It is likely, then, that significantly more than half of enterprises have unmanaged keys and certificates waiting to be exploited. They’ve lost control over the trust these technology help establish. The costs and likelihood then identified by this research are spot on.
One of our latest studies is the Efficacy of Emerging Network Security Technologies our objective is to learn about organizations’ use and perceptions about emerging network security technologies and their ability to address serious security threats. The emerging technologies examined in this study include next generation firewalls, intrusion prevention systems with reputation feeds and web application firewalls. Some interesting findings include: Securing web traffic is by far the most significant network security concern for the majority of organizations. However, the majority of respondents say network security technologies fall short of vendors’ promises. Almost half (48 percent) of respondents agree that emerging network security technologies are not effective in minimizing attacks that aim to bring down web applications or curtail gratuitous Internet traffic. To read a copy of the report please click http://www.juniper.net/us/en/dm/spotlight
Data breaches have become a fact of life for organizations of all sizes, in every industry and in many parts of the globe. While many organizations anticipate that at some point a non-malicious or malicious data breach will occur, the focus of this study is to understand the steps organizations are taking to deal with the aftermath of a breach or what we call the Post Breach Boom. Sponsored by Solera Networks, we conducted The Post Breach Boom study to understand the differences between non-malicious and malicious data breaches and what lessons are to be learned from the investigation and forensics activities organizations conduct following the loss or theft of sensitive and confidential information. The majority of respondents in this study believe it is critical that a thorough post-breach analysis and forensic investigation be conducted following either a non-malicious or malicious security breach. To download the report, please click here.
Today we released a new study entitled the Risk of Insider Fraud: Second Annual Study . The research reveals that the number of employee-related incidents of fraud continues to remain high. However, only 44 percent of IT and IT security practitioners say their organization views the prevention of insider fraud as a top security priority and this perception has declined since we first conducted this study in 2011. Contributing to the insider risk is BYOD, employee access of enterprise systems from remote locations and lack of security protocols over edge devices. Some suggestions to address these risks include making training and awareness an important component of a security initiative and monitoring access privileges. These privileges also need to be appropriate for the employees’ role and responsibility. We hope you will read the full report that discusses the challenges organizations face in minimizing the risk of the malicious and negligent insider. To find out more, visit http://www.attachmate.com/assets/Ponemon_2012_Report.pdf