As leaders, the rise of digitization and the cyber risk it presents feels like old news. We’re so inundated with cyber breach stories that we’re almost numb to them. We’re hyper-focused on the bottom line and the digital scale we need to achieve it. Yet it’s become apparent that our digital scale is creating sweeping critical trust concerns at the enterprise level.
As we work toward becoming digital businesses – a pace that’s quickly accelerating due to COVID-19 – we’re connecting record numbers of devices and applications, sharing and passing information across the Internet like never before. Research firm Frost & Sullivan forecasts that a staggering 50 billion connected devices will exist by next year. Often the information being passed from those devices is critical to our business and sometimes life-impacting – as in the case with medical devices. The number of digital certificates and keys protecting our connections are growing too, and with it the complexity of managing them – increasing our risk of security breaches, systems outages and failed audits.
This year’s Verizon Data Breach Report documented 17,000 reported breaches and more than 375,000 security incidents – a +600% year-over-year increase. Yes, breaches are monumental. They represent a real leak or loss of credentials, revenue and reputation. When we’re talking about critical trust gaps, the fact that incidents outnumber breaches by 22x is concerning. Incidents represent a security event that didn’t result in a breach but caused equally disruptive consequences, like downtime or unplanned expense to shore up faulty systems. In any case, like security breaches, many incidents can be traced back to self-inflicted errors causing harm, if not a full-blown breach.
Suddenly, we find ourselves asking whether rapid innovation is worth the price of exposing our enterprise to security risks.
Consider Equifax, a record-breaking breach event that resulted in the loss of 143M customer records, a $650M settlement fee and a reported $1.4B in security upgrades. Experts blame several security and policy failures, but perhaps the most damning and damaging event points to a single expired certificate. A lapse that prevented Equifax from detecting mass data exfiltration that leaked for more than two months. In this year’s United States Senate Permanent Subcommittee on Investigations Equifax breach report, the word “certificate” was used 67 times in its 71 pages.
The Equifax breach is just one example of the growing importance of digital certificates and the operational issues and security threats they pose if mismanaged or neglected. Within the IT ecosystem, certificates and keys classify as public key infrastructure (PKI), a battle and time-tested cryptography tool known in the industry as “the backbone of IT”. Today’s data protection regulations require many layers of encryption to secure keys and manage digital certificates, but the resourcing and continuous care and feeding that traditional PKI requires drives operational costs up. Many organizations have decided they’re willing to take the risk – trading care, feeding and dedicated staffing for other “mission critical” spend.
In a recent study, 87% of organizations experienced at least one certificate-related outage in the past two years. A similar study reported that the total cost of a single unplanned outage is estimated to be $11.1M, and that there is a 30% likelihood that organizations will experience a certificate-related incident over the next two years. An outage isn’t a breach, but the reality is that even unplanned outages are expensive and lead to productivity loss, customer distrust and reputational damage. Add to that – failing an audit or regulatory non-compliance can cost businesses upwards of $14.4M.
Compare those potential financial losses to IT spend – organizations annually spend an average of $18.2M on IT, but just $2.5M, or 14% of funds on PKI-related initiatives. What’s worse is that there’s often no clear owner when it comes to PKI budget, treating what industry analysts refer to as “critical infrastructure” as an organizational hot potato.
When we revisit the idea of critical trust and whether we’re willing to risk exposing our network to improve our bottom line, the answer should be an unequivocal “no”. The critical trust gap pits what the enterprise needs against what it’s able to do with the technology it has in place – the result is causing our customers and employees to lose trust in the critical data we’ve sworn to protect.
Yet signs of progress are emerging – a critical trust movement where leaders are pushing IT to the top the agenda, making digital business and the bottom-line equal partners. Why? Because among its many hard lessons, the Equifax breach has reaffirmed that accountability sits with the c-suite. Large enterprise prides itself on scale and security, yet success can be wiped out with a single network outage or breach. Enterprise leaders shouldn’t feel pressure to compromise; they can (and should) have confidence to move fast in the market and be connected without risking the security of the enterprise itself.
We’ve seen a record outbreak of digital certificate and key-related security breaches in recent years. As we manage and balance our 2020 budgets and strategic plans, let’s take this opportunity to plan for foundational orchestration and security management tools that will prevent a potentially catastrophic systems outage, security incident or worse – a large-scale breach event.
Jordan Rackie, CEO at Keyfactor