"It's not surprising then that all companies we spoke with had suffered an attack on trust due to failed key and certificate management, or that these attacks are projected to cost organizations an average of $35 million, with a maximum possible cost exposure of $398 million per organization, according to Ponemon. This level of risk and exposure demands remediation."
Ponemon Institute surveyed 2,342 respondents from within the Global 2000 in Australia, France, Germany, the U.K. and U.S. The respondents represented 16 unique vertical industries, the top five of which were these: financial services, public sector, consumer products, services (including audit and consulting) and education and research.
"The empirical question was: If an organization experiences a meltdown involving their encryption key or certificate management, what would happen?" Ponemon explains. "We attempted to extrapolate a maximum cost per exposure."
Ponemon had respondents evaluate four cost categories for each type of attack:
Brand and reputation damage
"Using this methodology, what we were able to do was estimate and extrapolate the costs of the different scenarios," Ponemon explains. "Each of the scenarios we used were based on real-life events."
All Respondents Had Suffered at Least One Attack
All of the enterprises surveyed had suffered at least one attack on trust due to failed key and certificate management. Easily preventable exploits of weak cryptography turned out to be both the most likely and the most costly, averaging $125 million per incident, per organization.
Attacks on trusted certificate authorities (CAs), which issue and validate digital certificates, can lead to man-in-the-middle and phishing attacks on enterprises, with costs averaging $73 million per incident, per organization.
Ponemon notes that the high cost makes sense given that attacks on cryptographic keys and certificates are difficult to detect and also target the most critical IT and business processes. He notes that the numbers are in line with the results of other major breaches, like the 2006 breach of TJX Companies, the owner of T.J. Maxx and other stores. In that instance, hackers accessed a system that stored information on customer credit card, debit card, check and merchandise return transactions. The breach affected 45.7 million customers and cost TJX at least $256 million.
"The Internet really relies on a mechanism of trust," Hudson says. "What trusts what and why does it trust it? This is not a well-understood area. Even at the CISO and CIO level, when we ask them 'where are your SSL certificates?' they don't really know. But it's fundamental to the way this whole thing works."
"This is also the first time when CEOs and other C-level executives in large corporates don't really have a clue how things work," Hudson adds. "It used to be they knew they could trust what was in their inventory because they could say, 'we've got armed guards, locked doors and keys, dogs, etc.' But when we move into this era of the Internet, they just don't know. They don't know how this machine knows it can trust that machine. And the bad guys have figured that out. What a bad guy will always do is go after you when you're not looking."
Sign up for CIO Asia eNewsletters.