Insights from Chief Security Officer, Chris Hickman, on the 2019 Keyfactor-Ponemon Institute Report: The Impact of Unsecured Digital Identities
Whether you need to protect your website, your network, or your IoT devices, digital certificates play a foundational role in securing virtually every line of business.
As Keyfactor’s Chief Security Officer, I often speak from a security perspective, advocating the importance of securing digital identities across environments and preventing misuse of keys and certificates by would-be hackers. Those who seek to do you harm hide in your network, compromise your software, and hijack your connected devices.
But there’s a much less nefarious yet equally serious threat to your business:
All certificates expire. Unexpected or unplanned outages due to certificate expiration continue to plague enterprises everywhere.
Regardless of how much time and how many resources you invest in prevention, it can often seem like a losing battle. And the reality is that many businesses adopt this strategy. Accepting defeat, they budget for outage fixes.
Practical? Maybe. Cost-effective? Far from it.
The Real Cost of Outages: Revenue, Reputation and Recovery
Here’s the thing. It takes just one expired certificate to slip through the cracks and you could lose access to critical systems, frustrate customers, halt business, and ultimately, impact the reputation you’ve spent years building up.
Even the biggest names in the business aren’t immune. Consider the Microsoft Azure outage due to a neglected certificate, or the major network outages impacting millions after Ericsson failed to renew expired software certificates.
In either case, just one expired certificate impacted tens of millions of users.
To make matters worse, expired certificates are often difficult to diagnose. Even the most experienced IT security and response teams may take days to identify an expired certificate as the culprit. Then comes the task of finding and replacing that certificate everywhere it’s in use across the business – a nearly impossible task for those tracking certificates using an Excel spreadsheet.
Let’s Talk Numbers
If you are deep in the trenches of PKI operations, it takes no stretch of the imagination to comprehend this scenario. For you, it’s an everyday risk.
But let’s face it – senior executives don’t know (much less care) about keys and certificates. And the only spreadsheets they want to see involve profit and loss, not expiration dates.
So, let’s talk numbers.
A recent study conducted by Ponemon Institute for Keyfactor provides insights into the challenges of certificate-related outages and the significant impact they can have on your business. Gathering input from 600 respondents, here are some of the key takeaways:
- Respondents experienced an average of four certificate-related outages in the past two years
- The average economic loss from these incidents is estimated at $11.1 million
- The cost of immediate revenue loss alone is estimated at nearly $3 million
- There is a 30% likelihood that organizations will experience the same issues over the next two years
But how can just one expired certificate cost your business $11.1 million? Let’s take a look at some real-world scenarios to put things in perspective.
Prior to contact with Keyfactor, a multinational air freight carrier used digital certificates to secure their logistics systems, from flight plans to load management. Case in point: an unmanaged certificate expired, crippling access to these critical systems. As IT security teams scrambled to find the source and remediate the issue, the entire fleet was grounded.
By the time the expired certificate was discovered and updated, two full days of operational interruptions resulted in millions of dollars in lost revenue.
How about a familiar example? The infamous theft of 148 million individuals’ personal data from Equifax went undetected for an incredible 76 days. How did it happen? Equifax didn’t see the data exfiltration, because the device designed to detect such a breach had been inactive for 19 months due to an expired certificate. It is reported that Equifax spent nearly $243 million to recover from the breach.
Far from another line item on your budget, the cost of outages due to expired certificates is enough to grab the attention of cybersecurity and IT executives.
The good news is, it’s not impossible to avoid outages, but it does take consistency to get it right (not to mention the right technology).
How to Stop an Outage Before It Happens
Outages due to expired certificates are completely preventable. So why do they continue to plague enterprises today?
In some cases, they’ve invested in certificate management tools, but only have the budget to track a subset of all certificates due to per-cert licensing fees. However, in most cases, organizations opt to track certificates with a spreadsheet. It becomes nearly impossible to quickly detect and respond to an expired certificate. And when you’re experiencing an outage, timelines for remediation are critical.
So, what can you do to prevent the next $11 million outage?
- Discover and inventory all certificates: Can you remember how many certificates you have, who you bought them from, or where they are located? Certificate renewal isn’t inherently complex — but you need to first find certificates across your network before you can fix them. And you shouldn’t be limited by a tool with a per-cert pricing model.
- Integrate with existing systems: How quickly can you respond to an expired certificate? Continuous monitoring and alerts are a critical next step for the lifecycle management. You likely already have tools at your disposal. More often than not, it takes a simple API plug-in to integrate with your existing ticketing and workflow systems (think ServiceNow or Remedy).
- Invest in automation technology: Investing in automation just makes good sense. It reduces the risk of human error, ensures ongoing certificate lifecycle management, and allows IT staff to redeploy onto other important initiatives within a limited budget.
Without the right people, processes and tools in place, digital certificates can often seem like ticking time bombs. As cybersecurity and IT executives who drive business strategy, we know that investing in the right things can help us to protect our organizations from expired certificates and mitigate the impact of unexpected outages when they do occur.
I’d love to hear more about your company’s experience and compare it to the report’s findings. Please reach out to me and let’s find a time to talk.