What’s happening with cybersecurity at many enterprises today reminds me of the horror movies that are so popular at this time of year. Viewers clearly see the danger ahead. But those who are involved in the action don’t always take the proper precautions to protect themselves.
Indeed, as the recently released “2019 Global PKI and IoT Trends Study” illustrates, despite incremental progress in some areas of public key infrastructure (PKI) security, enterprises continue to miss the mark on basic best practices.
PKI is a strategic part of the core IT backbone, but skill and resource shortages around security leave enterprises vulnerable and unprepared for the future. And the expansion of the Internet of Things – and the cybersecurity challenges it introduces – only exacerbate this problem.
There’s growing awareness about the importance of cybersecurity
We partnered with the Ponemon Institute to create this study. It is based on the research firm’s survey of more than 1,800 IT security practitioners in 14 countries and global regions. We unveiled the findings this month to coincide with National Cybersecurity Awareness Month.
National Cybersecurity Awareness Month (NCSAM) is an effort of the National Cyber Security Alliance (NCSA), which launched the initiative in 2004 along with the U.S. Department of Homeland Security. NCSAM is a joint public-private effort to raise awareness about the importance of cybersecurity. This year’s theme is: Own IT. Secure IT. Protect IT.
Major companies, including ADP, American Express Corp., Bank of America, Comcast, Eli Lilly and Co., Facebook, Google, Marriott International, Mastercard, Raytheon, Uber, U.S. Bank, and Wells Fargo & Co., are on the NCSA board. This list helps illustrate the importance some of the world’s largest and most important companies now place on cybersecurity.
But there’s still work to do – especially when it comes to IoT security
Yet, as our research indicates, many enterprises fail to prioritize IoT security measures that counter cyber threats they fear the most. And that makes them vulnerable to attack.
Survey respondents consider the top IoT threats to be altering the function of an IoT device (68%) and remote control of the device by an unauthorized user (54%). But, interestingly, security practices like delivering IoT patches and device updates to avoid such alterations ranked last on their list of the five top IoT security capabilities.
That’s a real problem, particularly considering that the cybersecurity gap is growing wider and deeper as the number of IoT devices grows. Forecasts suggest that more than 30 billion IoT devices will be in service by 2020. That’s up from an estimated 27 billion IoT devices today.
Our research suggests that about 42% of IoT devices in use will rely primarily on digital certificates and identification and authentication in the next two years. But far fewer IoT devices and platforms leverage encryption. Only 28% of IoT devices employ encryption, and just a quarter of IoT data repositories and platforms use encryption.
There is some good news, but PKI best practices are not where they need to be
On the upside, IoT is the fastest growing trend driving PKI application deployment with 20% growth in the past five years. In addition, organizations are expanding the scope of their PKIs.
Our research also suggests that enterprises are being more rigorous when it comes to PKI security in some areas. Fewer are using only a password to protect certificate authority (CA) administrative access (a 6% drop from the 2018 level), and more are using hardware security modules (HSMs) to manage CA private keys (a 3% increase over 2018).
Still, many organizations are missing the mark when it comes to best practices related to PKIs.
Almost a third (30%) of the organizations that Ponemon surveyed admitted they do not do certificate revocation of any kind, and a whopping 68% said they struggle to establish clear ownership of PKI in spite of the significant dependency on it. These responses, and the fact that their 5-year trend shows little progress, speak volumes about real-world operational PKI challenges.
Implementing best practices can change that, safeguarding businesses and customers
The Ponemon research also shows that internal corporate CAs are the most popular choice for PKI deployment. The bulk (80%) of financial services organizations use internal corporate CAs. This approach is used by 63% of the overall survey group, a number that has increased 19% over the past five years.
But sometimes, outsourcing can help. This survey revealed indications that enterprises who leverage reputable external hosted managed services can reap the benefits of better best practices when it comes to cybersecurity. Whether you keep PKI in house, use external services, or a combination of the two, Entrust and its parent company, Entrust Datacard, can help. Entrust nShield hardware security modules provide certified, tamper-proof protection for critical PKI private signing keys used at root and issuing CAs, as well as for other PKI components such as registration authorities and CRL servers. Entrust Datacard offers managed PKI services, on-premises PKI software, SSL and signing certificate services, and the ioTrust IoT security solution.
The fact is that bad actors are going to target businesses and their devices – especially where those devices (let’s just call out IoT devices right here!) offer a new and often improperly protected network entry point. But with best practices and focused solutions in place, enterprises will have the tools they need to fend off scary situations. And business leaders and customers won’t have to be on the edge of their seats.