Almost two-thirds of UK companies have lost customers and many more have failed audits and lost millions through outages because of poor management of security keys and certificates, according to Venafi.
The trust protection platform developer polled over 2,300 global respondents, including 500 UK security professionals to compile Cost of Failed Trust Report: When Trust Online Breaks, Businesses Lose Customers.
It found that 61% of UK firms had lost customers over the past two years because of key/certificate issues.
What’s more, respondents in the UK averaged over three certificate-related unplanned outages over the period, versus a global average of two. With security pros estimating the cost of each outage at £8.5 million, this is having a considerable impact on their organization’s bottom line.
Over the past two years, each responding business has failed one or more SSL/TLS audits and one or more SSH audits.
The report also claimed that 63% of UK IT leaders lacked visibility into keys and certificates, while 61% lacked policy enforcement and remediation.
Venafi’s vice president of security strategy, Kevin Bocek, argued that many firms don’t even know keys and certificates represent a security challenge to the organization, meaning there’s a lack of ownership around the issue.
“Keys and certificates are the foundations of trust that enable us to communicate and conduct business on the internet: they’re not optional,” he told Infosecurity by email.
“Most organizations are still at stage one: deploying keys and certificates to protect private communications and make sure websites, devices, apps are authenticated. Yet the thought that these systems of trust could in themselves be creating risk has not entered into many businesses’ thinking, meaning protecting keys and certificate is not being prioritized as it should be.”
The number of keys and certificates being used is growing by over 20% year-on-year as more businesses look to encrypt network traffic with SSL/TLS and the Internet of Things drives the need for even more certificates, he claimed.
“All of these assets represent a potential risk to the business, yet most organizations do not have a system to track keys and certificates, or are trying to do so on outdated Excel spreadsheets,” argued Bocek.
“The bad guys have already cottoned on – just look at the Sony hack last year, where the company’s SSH and code signing keys and certificates were stolen and published to the internet – so businesses need to act now to get back in control.”