All—as in 100%—of UK organizations have responded to multiple attacks on keys and certificates in the past two years.
Take a moment to read that again, if you like.
The Ponemon Institute found that attacks are becoming more widespread as the number of keys and certificates deployed on infrastructure such as web servers, network appliances and cloud services has grown by 40% to almost 24,000 per enterprise over the past two years.
Russian cyber-criminals, for instance, recently stole digital certificates from one of the top five global banks, enabling them to steal 80 million records, while another attack allowed hackers to steal data from 4.5 million healthcare patients.
Despite the ubiquity of the attacks, a full 63% percent of organizations do not know where all keys and certificates are located or how they’re being used. But at least the attacks have led to a modicum of self-awareness: 60% of all surveyed respondents agreed that they need to do a better job at responding to vulnerabilities involving keys and certificates. And 54% noted that the trust established by keys and certificates that is necessary for online banking, shopping and government is in jeopardy.
"With the rising tide of attacks on keys and certificates, it’s important that enterprises really understand the grave financial consequences,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “We couldn’t run the world’s digital economy without the system of trust they create. [Organizations] need a wake-up call like this to realize they can no longer place blind trust in keys and certificates that are increasingly being misused by cybercriminals.”
Conducted in the United Kingdom, Australia, France, Germany, and the United States, the report highlights that over the next two years, the potential financial risk facing UK enterprises from attacks on keys and certificates is expected to reach at least £33 million.
As for security professionals specifically, they said that they fear a “Cryptoapocalypse” event the most. Coined by researchers at Black Hat 2013, a Cryptoapocalypse would dwarf Heartbleed in scope, complexity and time to remediate.
“Whether they realize it or not, every business and government relies upon cryptographic keys and digital certificates to operate,” said Kevin Bocek, vice president of security strategy and threat intelligence at report sponsor Venafi. “Without the trust established by keys and certificates, we’d be back to the Internet ‘stone age’—not knowing if a website, device or mobile application can be trusted.”