Skip to main content
banner image
venafi logo

Businesses Need to Act Fast to Regain Online Trust

Businesses Need to Act Fast to Regain Online Trust

June 18, 2015 | Kevin Bocek

The Internet is the life blood for today’s business. Billions of dollars in market capitalization have been built on the back of innovation and productivity gains from the Internet and connected computing. However, the idea that security professionals believe online trust is near its breaking point will probably come as a bewildering thought to many companies going about their daily business, quietly confident the Internet’s system of trust is working.

The truth is that businesses need to take their blinders off and face online security issues head on, instead of burying their heads in the sand. Shockingly, 100% of surveyed organizations have admitted being at the receiving end of multiple attacks on unsecured cryptographic keys and digital certificates in the past two years alone. Keys and certificates are the foundation of security and were put in place to attempt to solve the first Internet security problems twenty years ago: what can I trust online and can I have private communications. But, we’ve lacked a system to keep them safe, know what’s trusted, and find and replace them when they’re not. If businesses do not take action, they’ll be unprepared for what security experts call a ‘Cryptoapocalypse’—when a discovered cryptographic weakness becomes the ultimate cybercriminal weapon, sending business into chaos.

We’ve already seen the warning signs. Last year, for example, Russian cybercriminals stole an SSL/TLS certificate from a top-five global bank. This enabled the cyber gang to impersonate the bank and steal 80 million customer records. In another case, SSL/TLS keys and certificates enabled hackers to steal data from 4.5 million healthcare patients. Leading industry researchers have identified the misuse of keys and certificates as a key part of an Advanced Persistent Threat (APT) and at the epicenter of cybercriminal operations.

The dire reality of the situation was uncovered in the 2015 Cost of Failed Trust Report, released by the Ponemon Institute. It is the first report of its kind to examine the Internet’s system of trust and what happens when this system breaks down. The report found that half of respondents acknowledged that the trust established by keys and certificates, the technology used to underscore trust and privacy online, is in jeopardy. What is more worrying is the other half who are eschewing the issue of trust altogether.

Half of IT security professionals believe online trust is in jeopardy.

Can you find your keys and certificates?

With 54% of businesses unaware of the location of their keys and certificates, or how they are being used, it is easy to see how they, their customer base, and partners, fail to establish any trust online. Take away the trust created by keys and certificates, used for everything from online shopping and mobility, to banking and government, and we can see the Internet being hurtled right back into the ‘stone age’, where users have no way of knowing if a website or mobile application is actually secure. How much faith would that give you in doing business online?

The potential liability can’t be underestimated. Over the next two years, the prospective financial risk facing business from attacks on keys and certificates is expected to hit at least $53 million.

Take action now.

With the growing number of attacks on keys and certificates, businesses must see this as a wake-up call and realize that they can’t place blind trust in keys and certificates that are open to exploitation by cybercriminals. We need to know what’s ours, trusted, or not. And as we move more and more to the cloud and DevOps environment, we need to scale up fast and tear down even faster, to keep everything safe and trusted.

The total number of keys and certificates used by the average business is over 23,000—up 34% from two years ago, thanks to an increase in deployment on web servers, network devices, and cloud services.

Over 23,000 keys and certificates in the average organization.

With no alternatives to keys and certificates available, the first priority is to make sure they are adequately protected. Businesses must make sure they know exactly where their keys and certificates are, fix any vulnerabilities, and make sure they are changed and replaced automatically.

Organizations need to put strict policies in place to know who they can, and cannot, trust. Before a certificate is issued a business should make sure it knows exactly how it will be used, who will own it internally, and if it fits into the existing security policy. And with more cloud and DevOps environments, we can only accomplish this with a solution that’s machine-based to scale up and down in seconds.

Businesses must not forget to include enterprise mobile certificates in their cyber security policy. The misuse of these for applications such as WiFi, VPN and MDM/EMM is a growing concern, especially with an increase in mobile employees and the adoption of BYOD (Bring Your Own Devices). Security professionals indicated that attacks using mobile certificates have the largest impact of all attacks using keys and certificates with a total possible impact of $126 million.

Businesses should sweep the Internet regularly to see if there are any ‘spoofed’ or stolen certificates out there claiming to belong to them. Stolen certificates are now being sold for $1000 and more. This is such a big problem that Intel believes it will be the next big hacker marketplace. Each business’s security infrastructure should detect these issues and rapidly respond to anomalies as well as know how to fix and replace vulnerable keys and certificates quickly.

It is critical that organizations put broad cyber security controls in place. It’s not possible just to focus in on one type of security control. And, it’s critically important that the foundational elements for security, like keys and certificates, be secured first. Cybercriminals won’t question the size or sector of a business when they attack.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Kevin Bocek
Kevin Bocek

Kevin is Vice President of Security Strategy & Threat Intelligence at Venafi. He is recognized as a subject matter expert in threat detection, encryption, digital signatures, and key management, and has previously held positions at CipherCloud, PGP Corporation and Thales.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more