GlobalSign Blog

15 Dec 2015

Your Business Could Lose Up To $15 Million By Forgetting This One Vital Thing

It’s one thing to lose money through market or industry fluctuations, but losing money because you forget to renew your SSL Certificate can be disastrous for your company, especially your brand image and trustworthiness with your prospective and existing customers.

Research shows that nearly two thirds of businesses already admit to having lost customers within the last two years because they have failed to secure their website with the right certificates.

When customers lose trust in your website and consequently your business, they may decide to take their business elsewhere in fear of having their data stolen. If your website isn’t secure then you run the risk of having your data breached, which can cause financial strain to the tune of millions of dollars.  Incident response, settlements, legal fees, fines and PR are just a number of costs that your business may incur because you simply forgot to renew your certificates.

According to a Ponemon report in 2015, the average organization has already suffered more than two system failures in the last two years due to ‘certificate related outages’. The average cost of having an unplanned certificate related outage is around $15 million.

Microsoft Azure Case Study

In 2013 Microsoft’s Azure cloud platform went under a worldwide outage because of an expired SSL Certificate. This came at a time where problems were also reported in Microsoft’s Xbox Music and Video services.

This announcement also came on the same day as Microsoft admitted to being a victim to the same cyber hack as both Apple and Facebook. As you can imagine many customers had to be communicated to, Microsoft’s PR team had to handle the messaging over the situation and Microsoft also had to take a hit on any services and products that could have been purchased at the time of the attack.

You can see from the below image from the Ponemon report, how the cost to the business is split by compliance failures and business continuity.

Ponemon The high cost of expiring SSL certificates

How Can I Ensure My Website Is Secure?

With the increasing risk of hacking attacks, auditors are clamping down on the standards and regulations companies will have to comply to in order to show they are not posing a risk to their customers or even their own data. If you want to know what steps you need to take in order to comply then visit the published standards page on the IT Governance website.

Now that companies like Google are ranking organizations with secure websites more highly it is clear that this is an increasing trend in business and IT security.

Here’s a few steps you can now take in order to make sure your website is secure at all times:

Do an internal audit

Start by bringing together all of your current certificates and keys and looking at where there might be gaps.

You can start by checking your website servers with our free tool. If you’re a customer at GlobalSign then you can also use our free certificate inventory tool to check where you have already installed certificates and when you will need to renew them.

Make sure that you list all dates of when each certificate is about to expire and log these in a place where you will not forget. It could be helpful for you or the person in charge of your IT Security to set a reminder in your calendar when each certificate is about to expire so they can update certificates without leaving your website vulnerable. Alternatively you may want to look at having a managed SSL solution where you can control your certificates through an online platform and be notified of certificates needing renewal in advance.

Enforce internal policy

After reading up on the ISO standards you should create the right processes within your company and document them so that as much as possible, everyone in your business is aware of the steps you are taking, why you are taking them and how they are involved.

Companywide training should also be given so that employees understand the changes you are making and also how to avoid potentially risking your data by falling for a phishing scam, or leaving sensitive data where it may be at risk.

Here’s an example of some of the procedures you may want to implement to protect your business both internally and externally on a physical and online level:

  • Smart card/key fob entry access to buildings, offices and rooms, with varying permission levels for different staff
  • Company policies to include regular employee training on best practices and how to detect and report potential security threats and issues
  • Two-factor authentication for employees to access machines, devices, networks and online portals
  • Digitally sign emails to prove authorship and prevent tampering and encrypt emails containing sensitive data and information

Ensure you are keeping up-to-date with IT security news

A large part of keeping your website/s and data secure will be from simply keeping up-to-date with the latest news in IT and Security. You can find some of our favourite security publications on Twitter by subscribing to our list.

Alternatively check out Infosecurity and The Register for the latest in IT and Technology news.

By regularly keeping up-to-date you can react quickly when new bugs or viruses are reported or updates need to be made. For example, it has recently been reported that SHA-1 (the hashing algorithm developed and used in digital certificates) could be hacked in just a few years. It has therefore been recommended that if you own a SHA-1 SSL Certificate that you should upgrade to SHA-256 as soon as possible.

Recruitment and resources

As an owner or senior level director within an organization, it is likely to be increasingly difficult to pay your full attention to the IT security requirements that are commonly needed.  Therefore, if the organization is large enough, you may need to consider the benefits of employing the right individuals and dedicating the right resource to your IT security projects.

This will vary depending on your industry and security needs both internally and externally. If you aren't sure then it is worth consulting with someone who has experience in securing a company similar to yours.

Share this Post

Subscribe to our Blog