Leaked Infrastructure Secrets Costs Companies an Average of $1.2 Million in Revenue Annually
80% of IT/DevOps Organizations Admit to Not Managing Their Secrets Such as API Keys, Tokens, and Certificates Well.
In pursuit of these accelerated timelines, developers frequently have to choose between rapidity and security. They leave infrastructure secrets like API tokens, SSH keys, and private certificates in config files or next to source code in order to have easier access.
But they are not always aware of the fact that the easier it is for them to access these secrets, the easier it is for cybercriminals to do the same.
As specified by the leader in enterprise password management 1Password’s report dubbed “Hiding in Plain Sight“, companies are losing an average of $1.2 million every year because of leaked information, which researchers at the company called “secrets.”
Jeff Shiner, 1Password CEO declared:
Secrets are now the lifeblood for IT and DevOps as they seek to support the explosion of apps and services now required in the modern enterprise.
500 adults in the United States who work full-time in their company’s IT department or in a DevOps role at a company with more than 500 employees were asked about how they handle the keys, tokens, and certificates that power their digital infrastructure.
60% of IT/DevOps Companies Have Experienced Secrets Leakage
The survey shows that for 10% of respondents who experienced secret leakage, their company lost more than $5 million. Over 60% of participants stated their enterprise has dealt with important data leakage.
Furthermore, two in five (40%) declared their companies were affected because of brand reputation damage with 29% of them losing their clients as a consequence of secrets leakage.
According to the study, two in three (65%) of IT and DevOps employees estimate their organization has more than 500 secrets and nearly 1 in 5 (18%) say they have more than they can count.
On average, IT and DevOps workers spend 25 minutes per day managing secrets, and the numbers are growing. More than half (66%) of IT and DevOps leadership say they spent more time than ever managing last year.
Another 61% stated several projects had to be delayed because their companies were not able to successfully manage their secrets.
Full Access to Former Employer’s systems
API tokens, SSH keys, and private certificates continue to be leaked also because 77% IT/DevOps workers say that they still have access to their former employer’s infrastructure secrets with over a third (37%) saying that they still have full access.
According to the report, 59% of IT/DevOps workers have also used email to share enterprise private details with colleagues, followed by chat services (40%), shared documents/spreadsheets (36%) and text messages (26%).
The problem is particularly critical among organizations leaders. More than 62% of participants said team leads, managers, VPs, and others have disregarded protection rules due to COVID-19 demands on work.
Our research reveals that secrets are booming, but IT and DevOps teams are not meeting rigorous standards to protect them — and in the process are putting organizations at risk of incurring tremendous cost. It’s time for companies to take a hard look at how they manage them, and adopt practices and solutions to ‘put the secret back into secrets’ to support a culture of security.