We human beings are notoriously imperfect. To err is human, right? One of the funniest mistakes that I make on a regular basis is when I look around my house for a small object that I was holding in my hand the whole time. Just yesterday I was putting my makeup on and I realized that my eyeliner pencil needed to be sharpened. Yes, I spent multiple minutes looking for the pencil sharpener that I was holding totally obliviously. Oops.
Human error also has a measurable effect on machine identities—most notably on the effectiveness of TLS certificate implementation. And sometimes TLS certificate mistakes don't just expose valuable data to cyber attack, sometimes they also have tremendously negative basic functionality consequences. They can be the kind that makes millions of customers upset, damage a brand's reputation, and cost businesses millions of dollars. What happened to major British cellular carriers on December 6th certainly illustrates my point. As I wrote here on Venafi’s blog:
“I use my phone constantly for work, play, and leisure. It’s pretty much always on my person. I’m probably rather typical. So, when about 32 million people in the UK lost the use of 4G and SMS on December 6th, I could definitely feel their pain. That’s a major inconvenience to people in their everyday lives, and also to many businesses which rely on their phones.
The outage affected O2 customers, and also customers of other Telefonica U.K. carriers, which include GiffGaff, Lyca Mobile, Sky Mobile, and Tesco Mobile. The common link is Ericsson’s Serving GPRS Support Node – Mobility Management Entity software. Ericsson was making changes to their Ericsson's Centralized User Database of subscribers. And what was the point of failure? An expired certificate. A singular machine identity. Really!”
Imagine if Ericsson and Telefonica reduced the potential for human error by more thoroughly automating their certificate management tasks. There wouldn’t be about 32 million Brits upset about not being able to use their phones for an extended period of time.
Conducting digital tasks manually which could be more effective when automated is having a detrimental impact on large organizations with legacy IT infrastructure and existing operations.
Business consulting firm Protiviti just released a study which surveyed the world’s 300 CXOs (such as Chief Risk Officers, Chief Sales Officers, Chief Diversity Officers, and Chief Legal Officers). Digital identity management is specifically a concern that hurts organizations when they do it the old-fashioned manual way. According to the study:
“Concerns related to privacy and identity protection continue to be among the top 10 risk concerns for 2019. The presence of this risk in the top 10 is somewhat expected given the increasing number of reports of hacking and other forms of cyber intrusion that compromise sensitive customer and personal information. Two-thirds of our respondents rated this risk as ‘Significant Impact' for their organization. This concern is likely linked to the proliferation of legislation to protect the privacy of personal information. Initiated in the European Union and spreading to the United States and elsewhere, that legislation has created enormous complexities for business with the teeth of potential fines, penalties and reputation loss that cannot be ignored."
TLS certificates need to be generated not only for your organization’s websites and web applications, but also for all of your organization’s internal and external entities which interface with public key infrastructures, such as email, internal documents, application authentication, Internet of Things devices, and network services of all kinds. You could be working with one certificate authority or a number of different certificate authorities. Certificates constantly expire, and new certificates constantly need to be generated. One little mistake made with any of them can have catastrophic consequences. Cyber attackers could access your sensitive data, interfere with your crucial business operations, or millions of customers could find that your services for them don’t work.
Plus automation relieves human workers of the burden of having to conduct very tedious tasks. The human brain absolutely hates tedious tasks and boredom increases the risk of human error. Computerized automation systems conduct tedious tasks perfectly according to the instructions they’ve been given, and they’re much less expensive than human labor hours. Save your labor costs for work which absolutely requires human beings.
North Carolina State University collaborated with Protiviti for their study. NCSU’s Deloitte Professor of Enterprise Risk Management Mark Beasley said, “Those organizations that have those embedded, traditional processes may not be able to compete in the marketplace as nimbly as some of those competitors that we refer to as ‘born digital.’ That risk rose to the number one spot this year.”
And guess what? Those “born digital” companies have automation in their DNA.
Organizations need to make sure they monitor their digital certificates for signs of misuse. To do that, they need to obtain complete visibility over their certificates. Learn how Venafi can help.