Opinion: Tammy Moskites, Venafi CIO and CISO, talks to CBR about the cost of unplanned outages to an organisation, and why they occur in the first place.
Unplanned outages are painful, we all know this. The question is, do we all know why they happen and how to prevent them? Most likely not. Outages are typically thought of as the most important security story that no one wants to talk about. But if you don’t start paying attention to outages, it could destroy your brand and cost your company millions.
There are seven main causes of unplanned outages that IT security teams should keep top-of-mind:
Expired Keys and Certificates: Keys and certificates keep your website running and allow a secure connection to your system/network. When they expire, this is usually a result of human error and can leave your network extremely vulnerable to outages.
Software Bugs: Software bugs occur when there is an error, flaw, failure or fault in a computer program or system that causes a program or system to produce an incorrect or unexpected result.
Equipment Failure: Equipment is often unable to perform its requested function due to it being outdated or overused.
High Bit Error Rates: This occurs when the number of bit errors per unit time is too high for the system/network to perform correctly.
Power Failure: Many of the highly publicised network outages are due to a system/network losing electrical power.
Overload Due to Exceeding the Channel Capacity: This is when a system/network is not set up to support as much traffic as it is receiving.
Cascading Failure: This is a failure in a system of interconnected parts in which the failure of one part can trigger the failure of successive parts.
From this list, lets take a closer look at expired keys and certificates, as they are the main reason behind most major service interruptions and an issue that can be easily fixed. Digital certificates provide a crucial security function by assigning public keys to be used for cryptographic purposes, including digital signatures and encryption. The Certificate Authorities (CAs) that issue these certificates also determine how long they will be valid—weeks, months, or years—before they will need to be replaced or updated.
Research by the Ponemon Institute suggests that in the average enterprise, the total number of keys and certificates is over 23,000. And another survey conducted by TechValidate on behalf of Venafi suggested that most organisations (56%) used manual methods to manage their keys and certificates.
So when using manual methods, it’s virtually impossible to know where all of your keys and certificates are located, how to secure and keep track of them, or know exactly when they will expire. With this lack of visibility, it’s no wonder organisations are experiencing outages!
In autumn 2015, the Ponemon Institute released further survey results from 2,394 respondents in Global 5000 organisations, which noted that businesses are losing millions due to expired certificates and unplanned outages. To be more exact, $15 million is the average lost per outage! In the survey, the majority of the businesses even admitted to losing customers over the last two years because they failed to secure the trust established by keys and certificates.
Unfortunately, hackers are very aware of the vulnerabilities they can exploit with unsecured keys and certificates, and they take full advantage of them through website spoofing, server impersonation, and Man-in-the-Middle (MITM) attacks.
Knowing that e-commerce, computing, and mobility are all affected by outages, it turns what was once the unsexy story into one that all enterprises need to pay attention to in order to run their businesses smoothly and securely, and avoid becoming the next news headline.