Leaked infrastructure code, credentials and keys costing orgs an average of $1.2 million per year: 1Password

About 60% of survey respondents said their organization dealt with leaked API tokens, SSH keys, and private certificates.
Written by Jonathan Greig, Contributor

Organizations are losing millions of dollars in revenue each year due to leaked infrastructure code, credentials and keys, according to a new report from 1Password. 

1Password's report "Hiding in Plain Sight" said that on average, enterprises lose an average of $1.2 million each year due to leaked details, which researchers at the company called "secrets." Researchers found that IT and DevOps workers leave infrastructure secrets like API tokens, SSH keys, and private certificates in config files or next to source code for easy access and to make things move faster.

The report features analysis from 1Password researchers as well as an April 2021 survey of 500 IT and DevOps workers in the US. For 10% of respondents who experienced secret leakage, their company lost more than $5 million. More than 60% of respondents said their organizations have dealt with secrets leakage. 

In addition to the money lost, 40% said their organizations suffered from brand reputation damage and 29% said clients were lost due to the consequences of secrets that had been leaked. 

According to the report and accompanying survey, 65% of IT and DevOps employees say their company has more than 500 secrets, with almost 20% saying they have more than they can count. 

Employees have to spend about 25 minutes every day managing these secrets and more than half say that number has increased significantly over the last year. 

More than 61% said multiple projects had to be delayed because their organization could not effectively manage its secrets. 

Alarmingly, 77% of respondents said they still have access to a former employer's systems and 37% said they had full access, highlighting one of the main reasons why secrets continue to be leaked. 

Another factor contributing to the problem is the growing use of cloud applications, which 52% of IT and DevOps workers said made it harder to manage secrets. 

But IT and DevOps workers acknowledged some of the blame, with 80% saying they did not do a good job of managing secrets. About 25% said their organization's secrets are in 10 of more locations. 

IT and DevOps workers also admitted to sharing information about company secrets over less-than-secure channels including email (59%), Slack (40%), spreadsheets/shared documents (36%) and text (26%). 

Almost all respondents said their organization has a secrets policy but less than 40% said it is enforced. The problem is particularly acute among organizations leaders. More than 62% of respondents said team leads, managers, VPs and others have ignored security rules due to COVID-19 demands on work.  

"Secrets are now the lifeblood for IT and DevOps as they seek to support the explosion of apps and services now required in the modern enterprise" 1Password CEO Jeff Shiner said.

"Our research reveals that secrets are booming, but IT and DevOps teams are not meeting rigorous standards to protect them -- and in the process are putting organizations at risk of incurring tremendous cost. It's time for companies to take a hard look at how they manage secrets, and adopt practices and solutions to  'put the secret back into secrets' to support a culture of security."

Editorial standards