One thing that the last half of 2018 taught us is that very bad things happen when certificates are not managed. From the breach at Equifax that went undetected for 76 days due to an expired certificate to the massive outage that impacted nearly every O2 and Softbank customer as a result of a certificate expiring – these companies proved that millions of people are impacted when certificates are not properly managed.
As a CSO, this really concerns me.
A new study conducted by Ponemon Institute for Keyfactor highlights how big the challenge is – and for the first time, it ties the impact of ineffective certificate and key management back to organizational KPIs that keeps executives like us up at night.
The Fascinating Cost of Expired Certificates
Gathering input from 600 respondents across just about every industry, the report highlights concerns from the technical community that lack of attention and investment in digital identity management is putting organizations at risk.
Think about that – platforms, processes and identities that span across an organization are at risk, every day. Across 100% of the industry segments represented in the study, the ability to discover, inventory and automate is one of the greatest challenges our PKI teams (or in many cases, even in large enterprises, a single person!) face. 74% of respondents reported they’ve already experienced a significant outage due to an expired certificate, and 42% believe that another outage of similar or greater impact will happen again in the next several months.
71% of respondents reported that the lack of visibility into what certificates and keys are actually deployed across the enterprise is a major concern.
So here’s the big takeaway: we know outages cost productivity and can impact customers – but that often gets written off as a cost of doing business. The report shines a light on far bigger economic costs to the organization:
- The average economic loss from an expired certificate is $11.1 million
- Failed audits due to a lack of clear certificate and key management and policies have an impact of $14.4 million
- The economic impact of code signing certificate and key misuse topped $15 million
These figures aren’t the cost of doing business; they’re powerful enough to get boards of directors involved and impact company valuation. These types of costs go way beyond a budget line item.
So, how do we avoid – or at least minimize – the risk?
Investing in Digital Identity Management
In many cases, the process of trying to discover, inventory and then manage certificates is left to manual processes that are prone to human error.
When I ask people how they manage certificates, the overwhelming majority still use a spreadsheet to track what certificates live where and when they expire. In some cases, customers have invested in certificate management products but due to per-cert licensing models, only have the budget to track a subset of all certificates, thus leaving a large portion of the enterprise unprotected.
I hope if nothing else this report serves as a wake-up call. As cybersecurity and IT executives, our companies are counting on us to offer solutions (and full disclosure: my company offers one), and chances are your PKI expert is trying to build a business for just that.
I’d love to hear more about your company’s experience and compare it to the report’s findings. Please reach out to me to find a time to talk.