The Ponemon Institute recently released its 2013 Annual Cost of Failed Trust Report: Threats & Attacks that was underwritten by Venafi and underscores the risks that organizations take in failing to secure both internal and external trust. Dr. Larry Ponemon will present on the key findings from the report at the 2013 RSA Conference tomorrow, Thurs., Feb. 28. Ponemon will explain how digital certificates and cryptography are critical to enterprise trust and how poor key and certificate management can be extremely damaging to organizations’ budgets.
Ponemon already released its annual Benchmark Study on Patient Privacy & Data Security back in December and this 2013 report didn’t deal directly with healthcare, but the information is still valuable to healthcare organizations for a few reasons. The first is that financial responsibility when it comes to data security is something that can be applied across the different sectors. Secondly, healthcare is going to continue to rely more and more on keys and certificates as digital records become integrated and accessible to physicians and patients alike.
“I’ll share some of the expected and startling findings, including the fact that more than half of the companies surveyed do not know how many keys and certificates they have, that every company had experienced an attack on trust due to failed key and certificate management, and that trust attacks are projected to cost organizations an average of $35 million over 24 months, with a maximum cost exposure of $398 million per organization,” Ponemon told Marketwatch.com.
The goal of the report was to publicize the tangible financial risks that organizations, such as healthcare, take in using weak cryptography when securing data. Certificate management was cited as a bugaboo for enterprises, as there are also consequences for certificate authority (CA) hacks and misuses that leading to phishing and other issues. Other problems included:
Manual management isn’t enough: Enterprises estimate they have on average 17,807 keys and certificates, per organization.
Unknown and unquantified risk: 51 percent of surveyed organizations do not know exactly how many keys and certificates they have.
Cloud computing anxiety: Respondents believed difficult-to-detect attacks on Secure Shell (SSH) keys, critical for cloud services from Amazon and Microsoft, present the most alarming threat arising from failure to control trust.
Need to establish control over trust: Already 59 percent of enterprises believe that proper key and certificate management can help them regain control over trust and avoid these risks.
Similar to much of the news coming from the RSA Conference this week, this isn’t directly applicable to healthcare. But the financial burden that results in inferior encryption is a cross-industry problem that can give healthcare organizations insight into what the encryption issues are and how to solve them.