A company’s brand is among its most valuable assets. That’s why the world’s most-valuable and well-recognised brands will take on imposters in high-profile, expensive legal battles. Yet these same brand stewards do relatively little to ensure against the brand damage that comes when their customer or partner data is breached.
This need for better oversight is not hypothetical - just ask Lockheed Martin, L3, Epsilon, EMC and others.
You can’t fully understand why companies are doing so little to protect the integrity of their public sites, data and brands unless you understand that many believe they are protecting them already, simply by deploying digital certificates and encryption keys. Whenever a user connects to a secure website, the website submits a digital certificate which identifies the site and the organisation that owns it. A digital certificate is signed by a Certificate Authority (CA) and browsers check whether the site truly belongs to the organisation or to an imposter.
Customers may not realise the background processes securing their activities—until they break down. This can occur in two equally critical ways: the certificate can expire, causing users to believe that a legitimate site belongs to an imposter; or the certificate can be compromised, causing users to believe that an imposter’s site is legitimate.
In the first case, users see the problem immediately in a warning against accessing the site. Some users will simply abandon the site out of fear and might also assume that the company’s security has been breached, which damages the company’s reputation almost as much.
A compromised certificate poses an even greater risk because the problem might remain invisible. Hackers can launch “man-in-the-middle” and phishing attacks, luring customers to the imposter site and trick them into revealing valuable information. This type of security breach should make brand stewards wake up in a cold sweat—not only can the company be fined for regulatory violations, but the scandal can ripple through the company’s image for years.
At first glance, protecting online data and systems seems a simple proposition: keep encryption keys and certificates up-to-date, accounted for, and properly protected. But this conceals the complexities of implementing them.
Problem one: Proliferation of digital certificates
Most companies have certificates from multiple CAs and no simple method for managing authentication mechanisms. These companies cannot effectively manage their certificate assets with the piecemeal solutions offered by individual CAs nor with their own makeshift measures - they require a CA-neutral enterprise key and certificate management (EKCM) process.
Problem two: Underestimation of the problem
Uninformed security professionals can also stand in the way of an adequately-protected website. Many think that their job starts and ends with purchasing and deploying a digital certificate. Even after the company becomes aware of an issue, IT staff often find it nearly impossible to locate and replace the compromised certificate.
Problem three: Technology outpacing management
Almost every company has a website to host services, deliver content, furnish demographic research, and provide a sales channel. As a result, more sensitive data than ever is floating around in cyberspace. Hackers have seized the opportunity to hijack inadequately secured data and the complexity of their exploits is rapidly outpacing advances in security.
The bottom line is that information security teams that use outdated technologies to combat sophisticated exploits are essentially taking knives to a gunfight. Effective encryption key and digital certificate management gives these teams a bullet-proof-vest. So visitors to a site will never have to ask, “will the real website please stand up?”