Recent vulnerabilities discovered in Huawei and Asus laptops have highlighted the importance of vendors carrying out thorough security checks on technology before shipping to customers.
Alarmingly, this doesn’t seem to be an isolated issue. A new study from Outpost24 has revealed that 23% of organisations don’t carry out any security testing at all on products before they are launched into the market.
The study, which was carried out in March 2019 at the RSA Conference in San Francisco, also shockingly revealed that 31% of IT security professionals have admitted that their organisation has marketed a product, which they knew contained security vulnerabilities so they could beat competition*.
Other findings from the study revealed that 21% were not sure if their organisation carried out security testing on products before going to market, while only 56% of respondents claimed that their organisation did.
Gartner: top 7 security and risk management trends for 2019
“These figures raise concerns about the priority that organisations are placing on security, especially when attempting to beat competition by rushing products to market”, said Bob Egner, VP of Outpost24.
Is this an understatement?
“What many of the respondents are clearly forgetting is the damage security vulnerabilities can not only do to an organisation’s customers, but also to brand and reputation. If a company ships products which are notoriously flawed with security vulnerabilities then they will not keep their customers for long and may ultimately face legal issues. The value of beating competition can be lost or even reversed.”
Survey respondents were also asked about when security was added into the development stages of products, and this revealed that only 56% of organisations add security into the product development cycle at the very beginning, while 29% said they add it in the middle and 15% said they do it at the end.
“Any organisations that is developing and marketing products should look to build security into the design stage, as the cost to correct them is documented to be smaller at an early stage of the development process. Taking a secure by design approach will mean security is built into the foundations of a product and will limit the cyber risks faced by users, which will ultimately increase customer satisfaction as well,” continued Egner.
How to bake security into the design of IoT products
Information Age analysis
If these figures are true, it is an absolute outrage.
By now, following breach after breach and data scandal after scandal, there is no excuse for businesses not considering security throughout their organisations and within their products.
Security should be factored into the design and development stage of every product and function within business operations and strategy.
Leaders know this, and so if the results are correct, they’re either falling on the side of ignorant, taking the attitude ‘oh, it will never happen to me or my company’. Or, they don’t care, and getting ahead of the competition at any cost is their number priority, not the safety of their consumers.
Those that take this attitude will get found out, and heads will roll.
However, on the other side of this, the vast majority of businesses that I have come across, constantly state their commitment to security — and the role of the CISO, or similar positions, is gaining increasing clout within the largest organisations. Just like finance and now data, security must be treated like an asset, or a strategic priority for businesses.
*This is beyond negligent and these companies should be named, shamed and held accountable, in my opinion.