The Dangers of Expired and Rogue SSL Certificates
An expired or rogue SSL Certificate in a network environment could have severe repercussions . It takes just one out-of-date or rogue certificate to expose the enterprise—and perhaps more importantly, its customers—to malicious cybercrime . The following are just a few potential consequences of expired and rogue SSL Certificates .
Theft of customer data
Thanks to years of news headlines about data breaches and education efforts led by consumer advocacy groups and businesses, the public is more concerned about identity theft than ever before . A recent study found that 64 percent of Americans are very or extremely concerned about someone stealing their identity, with 31 percent describing their level of worry as extremely concerned.
In this context, the risk of phishing is a major concern . In a phishing attack, a hacker will assume the identity of a legitimate business—taking advantage of the business’s lack of authentication from non-existent or expired SSL Certificates—and create a fake website that looks similar if not identical to the real site .
Unsuspecting customers will then enter confidential information, such as credit card or social security numbers, on the site . The phished site feeds data directly to the hacker, who may in turn sell it to other criminals .Even if a phishing incident or data breach is relatively minor, it can exacerbate these fears and seriously threaten the enterprise . In fact, research has found that 31 percent of customers will terminate their relationship with a company following a data breach regardless of the degree of severity.
Beyond these immediate losses, phishing and data breaches can also affect the reputation of an enterprise and lead both current customers and prospects to question whether a particular business can be trusted . Industry experts say that it takes about six months to stabilize sales and confidence in a company’s network after a breach—and even then a company’s reputation may not be completely restored.
Losing customers to competitors
Another factor that concerns business is expired SSL Certificates . An expired SSL Certificate can lead to lost business in other ways . Chief among them is simply losing traffic when customers see warnings of SSL Certificate expiration and leave your site to purchase products and services on sites that are secured with SSL Certificates .
Customers may not know exactly how public key encryption works, but visible signs of SSL security—such as an SSL trust seal or the green Extended Validation bar—will make them more likely to transact on a particular site .If SSL Certificates on e-commerce or other types of public-facing sites expire, they will lose customers’ trust resulting in loss of business .
Increased calls to customer support
Today, many companies offer web tools, automated phone menus, and other self-service options to make it easier for customers who have questions to find the information they need . However, if customers visit a website and have any concerns about whether their private data is secure, they will either abandon their transaction (as discussed above) or they may call customer support .
The average cost per support call varies widely across industries, but one fact is certain: the costs of numerous support calls add up over time . Not only do extra support calls drain a company’s financial resources, they place an additional burden on the contact center and divert support staff from handling other highvalue customer calls .
The extra cost and inconvenience associated with customer inquiries can be easily avoided by maintaining up-to-date security, including valid SSL Certificates.
Increased strain on IT departments
Just like customers who call customer support when they’re uncertain about a website’s security, employees who see warnings that stem from expired SSL Certificates on intranets or other internal sites will often contact IT staff to resolve the issue . This can add a significant burden to IT departments that are already overwhelmed .
In other cases, employees may ignore these expiration warnings altogether, a situation that continues to leave the affected resources vulnerable to attack . It also sets a negative precedent for security compliance by creating the impression that staff may disregard internal security measures.