Old, outdated cryptographic protocols are widely used by enterprises in finance, healthcare, higher education, retail, and manufacturing.
Research by Quantum Xchange underscores how cryptography is largely taken for granted – rarely evaluated or checked – a practice that could have devastating consequences for businesses as attack surfaces continue to expand, the cost of a data breach rises year-over-year, and the age of quantum computing nears.
Mining data from CipherInsights’ users, examining more than 203Tb of network traffic, the analysis looked at the relationships, sessions, and traffic for ciphersuites, plaintext, TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0, and SSL v3. The total sum of all packets, for all connections, between all pairs found up to 80% of network traffic had some defeatable flaw in its encryption and 61% of the traffic was unencrypted.
Findings indicate that healthcare and higher education are slow to change with a significant presence of TLS 1.1 and 1.0 in use. More alarming, up to 92% of all traffic on a hospital network uses no encryption at all. This suggests a laissez faire attitude and general reluctance to update “working” systems that are in production.
Eighty-seven percent of encrypted, host-to-host relationships still use TLS 1.2, demonstrating that a large migration to TLS 1.3 is still forthcoming – not a trivial upgrade given the significant differences between versions.
“These findings serve as a snapshot of what’s taking place within enterprise systems worldwide,” says Vince Berk, chief strategist at Quantum Xchange. “Zero trust is meaningless if your encryption is not bulletproof. We’re trying to bring awareness to the here-and-now problem with cryptography so that organizations can shore up these weaknesses and better protect their systems from everyday cybersecurity risks and yet-to-be-discovered threats.”