Expired certificates are costing businesses millions, says Glyn Worrall, RVP Technical Account Management, at the cyber firm Tanium.
Large organisations are a magnet for cybercriminals looking to harvest personal information or hold services hostage. And it seems no business is safe. Only months ago, Twitter (now X) found itself victim to a criminal hacker leaking more than 220 million users’ email addresses.
But, while social media giants, state-sponsored attacks and international ransomware gangs are the ones grabbing headlines, the reality is that many cyber attacks aren’t that sophisticated. In truth, an organisation’s systems could be brought to their knees by something much closer to home, potentially boiling down to nothing more sinister than the failure to renew a digital certificate.
Digital certificates are a core component of digital communication. They are used to verify the identity of the various links in a digital transaction ensuring the confidentiality, integrity, and authenticity of transmitted data. As such, digital certificates underpin secure operations and communications ensuring that only trusted devices can connect to network resources.
In the commercial world, businesses can have hundreds of thousands of certificates. For large enterprises, it’s almost impossible to put a figure on how many are in circulation to keep systems running smoothly. Regardless, every organisation that uses digital certificates faces the same potential threat. If they are not properly audited and managed, an expired certificate can lead to unplanned system outages. For a business, that could result in a halt to trading and loss of revenue. In fact, it’s estimated that unplanned downtime from expired certificates costs organisations upwards of $300,000 per hour.
When you consider critical infrastructure, like hospitals, it could disrupt patient services and lead to issues far more serious than loss of income. What’s more, weak or expired certificates can expose security vulnerabilities and leave doors open just waiting for attackers to gain access to the network.
With such a mundane security loophole — in effect, the result of an administrative slip-up — it could be described as a self-inflicted and easily avoidable security threat that should never take down an organisation of any size or standing. And yet, in 2018, O2 suffered a major outage on its 4G mobile network, the cause of which was traced to an expired software certificate. While in 2023, Elon Musk’s Starlink satellite Internet service went offline following reports of certificate issues at its ground stations.
No one is immune from administrative oversight
The message is simple. If it can happen to the likes of O2 and Starlink, it can happen to anyone. For instance, if a digital certificate should expire, a retailer’s systems may no longer be able to decrypt and access the customer records encrypted with the expired certificate. This could lead to retailers being unable to retrieve critical information necessary for completing orders. Or people could be stopped from placing orders at all.
For large retailers which can process thousands of orders every minute, any downtime caused by an expired certificate can lead to millions in lost revenue. It could also increase the threat of a cyber-attack, because without a valid certificate to ensure secure communication, the data may become vulnerable to interception and exploitation.
And it goes without saying that the reputational damage would linger long after certificates are renewed, and systems returned to good health. A data breach — or a significant disruption in services due to an expired certificate — could seriously damage an organisation’s reputation and erode customer trust.
Thorough certificate hygiene and management vital to protect patient services
To mitigate the risks, it’s essential that organisations have robust certificate management practices in place. This includes maintaining an up-to-date inventory of certificates, implementing automated monitoring and alerting systems for certificate expirations, and ensuring timely renewal of certificates before they expire. Businesses also need to have contingency plans in place to address any unforeseen certificate-related issues promptly.
That’s why all organisations — public and private— need to embrace certificate management solutions. These help organisations modernise certificate management to accurately inventory certificates across all endpoints — even ones invisible to existing tools. They also provide visibility into expiring or unauthorised certificates and find cyphers and certificates vulnerable to compromise — and all in real-time via a single endpoint management platform.
It’s an approach endorsed by Jennifer Glenn, research director for IDC’s Security and Trust Group. “Effective certificate management is essential for organisations to achieve their cybersecurity and vulnerability and risk management hygiene goals,” said Glenn.
“The sheer number of certificates that each organisation must identify and manage across the business makes certificate management incredibly challenging,” she said.
What’s clear, is that the problem is not going away. As IT environments continue to grow in complexity, organisations are faced with the task of grappling with countless disparate tools and manual processes to find and patch vulnerabilities, configure policies, and manage certificates.
It’s a security-related task that is easily within the reach of every organisation including healthcare — as long as they employ the tools necessary to manage their certificates. For anyone responsible for IT security, it’s part and parcel of keeping pace with the increasing frequency and sophistication of cyber threats.
