A whopping 59 percent of businesses report losing online customers due to certificate errors that cause website outages and generate certificate warning messages.
That's according to a Ponemon Institute report, sponsored by Venafi, that surveyed 2394 IT security professionals in a range of industries in the UK, US, Germany, France and Australia. The 2015 Cost of Failed Trust Report concluded that unprotected keys and certificates are jeopardising the digital trust which underpins the world's economy.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said the problems can be traced to outdated methods of work and the pace of application development which doesn't always leave enough time for security.
The Ponemon/Venafi report found that the global average of business system failure was two certificate-related outages in two years, with an average cost of almost £10 million per outage. When it came to the UK, unfortunately, the average number of outages was three.
Respondents reported that their businesses had failed one or more SSL/TLS and SSH audits in the same period. The global average was one but the UK average was two which Bocek attributes in part to there being more auditors in the UK.
The root of the problem can be traced to lack of visibility and lack of policy enforcement and remediation for keys and certificates, as 54 percent of respondents admitted their organisations lacked either of these.
Bocek said the average number of certificates held by organisations in the UK in this year's survey is 25,000, up 40 percent from 2013.
“In just two years you've had 20 percent growth year over year in the number of keys and certificates that these survey respondents are aware of,” Bocek said. “That tells you the direction of where we are headed, which is good, which is a Snowden effect. That's an adversary effect, that's us becoming more aware and sensitive of attacks, so those are all good things. We want more encryption and authentication behind our websites, devices and applications.”
However, the downside is that the keys and certificates protecting these assets are also causing businesses to lose customers and trade when authentication fails.
While the average amount of losses among the five countries was 59 percent, the figure was slightly higher in the UK with 61 percent of respondents saying their organisations had lost business in the past two years because of problems with certificates and keys. The extent of individual business losses was not reported.
In August, the information arm of GCHQ, CESG, was forced to take down its HTTPS website after the organisation's SSL certificate failed because it was reliant on obsolete SHA1 encryption. It took a few days to upgrade the certificate to SHA-256.