Say it with me—UNPLANNED OUTAGES ARE PAINFUL!
Of course, we all know this. The question is, do we all know why they happen and how to prevent them? Most likely not. Outages, also referred to as downtime, are typically thought of as the most important security story that no one wants to talk about. So today, we are going to discuss why it doesn’t matter how sexy APTs, threat intelligence, and other trendy security topics might be; if you don’t start paying attention to outages it could destroy your brand and cost your company millions.
There are seven main causes of unplanned outages that IT security teams should keep top-of-mind:
- Expired Keys and Certificates: Keys and certificates keep your website running and allow a secure connection to your system/network. When they expire, this is usually a result of human error and can leave your network extremely vulnerable to outages.
- Software Bugs: Software bugs occur when there is an error, flaw, failure or fault in a computer program or system that causes program or system to produce an incorrect or unexpected result.
- Equipment Failure: Equipment is often unable to perform its requested function due to it being outdated or overused and this is a common cause of unplanned outages.
- High Bit Error Rates: This occurs when the number of bit errors per unit time is too high for the system/network to perform correctly.
- Power Failure: Many of the highly publicized network outages (See 2013 Super Bowl) are due to a system/network losing electrical power.
- Overload Due to Exceeding the Channel Capacity: This is when a system/network is not set up to support as much traffic as it is receiving.
- Cascading Failure: This is a failure in a system of interconnected parts in which the failure of one part can trigger the failure of successive parts.
Now, let’s take a deeper look at expired keys and certificates, since it is the reason behind most major service interruptions and an issue that can be easily fixed.
Digital certificates provide a crucial security function by assigning public keys to be used for cryptographic purposes, including digital signatures and encryption. The Certificate Authorities (CAs) that issue these certificates also determine how long they will be valid—weeks, months, or years—before they will need to be replaced or updated. As shown in a survey conducted by TechValidate on behalf of Venafi, most organizations (56%) used manual methods to manage their keys and certificates before turning to Venafi (Source: TechValidate. TVID: 739-CC2-CFC).
According to research by the Ponemon Institute, in the average enterprise, the total number of keys and certificates is over 23,000—so when using manual methods, it’s virtually impossible to know where all of your keys and certificates are located, how to secure and keep track of them, or know exactly when they will expire. In fact, the TechValidate survey discovered that, on average, Venafi customers found over 16,500 previously unknown keys and certificates after deploying Venafi (Source: TechValidate. TVID: 363-53E-598). With this lack of visibility, no wonder organizations are experiencing outages!
Last Fall, Venafi partnered with the Ponemon Institute to release survey results from 2,394 respondents in Global 5000 organizations, which noted that businesses are losing millions due to expired certificates and unplanned outages. To be more exact, $15 million is the average lost per outage! In the survey, the majority of the businesses even admitted to losing customers over the last two years because they failed to secure the trust established by keys and certificates.
Unfortunately, hackers are very aware of the vulnerabilities they can exploit with unsecured keys and certificates, and they take full advantage of them through website spoofing, server impersonation, and Man-in-the-Middle (MITM) attacks.
Knowing that e-commerce, computing, and mobility are all affected by outages, it turns what was once the unsexy story into one that all enterprises need to pay attention to in order to run their businesses smoothly and securely, and avoid becoming the next news headline.
What are you doing to prevent outages at your business while still ensuring strong security practices? I’d love to hear your recommendations and best practices.
Cheers!