April 17, 2019

31% of companies known their products contain security vulnerabilities (but sell them anyway)

By Luke Christou

Some 31% of IT security professionals have admitted that their organisations have ignored known security vulnerabilities in a bid to get the upper-hand over their competitors.

Security flaws in widely-used products have been making headlines of late, with the recent discovery of a vulnerability in Electronic Arts’ Origin platform following on from flaws discovered in products shipped by the likes of Huawei, Xiaomi and Asus. These flaws provided potential ways for malicious actors to infiltrate and infect user systems.

A new study by cybersecurity risk assessment company Outpost24 has highlighted the scale of the problem. Conducted at the industry-leading RSA Conference last month, IT professionals were asked a series of questions about the security testing procedures of their respective companies.

Of those asked, just 56% of respondents were confident that their organisation carried out vulnerability tests on their new products before they went to market. Close to a quarter of organisations do not carry out any security tests before launching a new product. The remaining 21% were unsure whether testing took place.

“These figures raise concerns about the priority that organisations are placing on security, especially when attempting to beat competition by rushing products to market,” said Bob Egner, Vice President of Outpost 24.

A short-term mentality

The problem appears to be that businesses are opting for a short-term approach in a bid to capitalise on customer anticipation. Some 31% of respondents felt that a lack of time to deal with vulnerabilities was the biggest problem putting their organisations at risk of cyberattacks.

Yet, by rushing products out to gain an advantage over their competitors, businesses are putting themselves at risk of damaging their brand and reputation should a security vulnerability be exploited.

“What many of the respondents are clearly forgetting is the damage security vulnerabilities can not only do to an organisation’s customers, but also to brand and reputation,” Egner said. “If a company ships products which are notoriously flawed with security vulnerabilities then they will not keep their customers for long and may ultimately face legal issues.”

“The value of beating competition can be lost or even reversed.”

This short term mentality may be a result of C-level executives failing to understand the importance of good cybersecurity practice. Some 36% said that C-level executives and board members in their organisation lacked understand, while a further 16% where unsure.

Building security into the design stage

According to Egner, thinking about cybersecurity from the very beginning of the product design process could help to keep costs down and avoid damaging the brand should a cyberattack occur.

“Any organisation is that developing and marketing products should look to build security into the design stage, as the cost to correct them is documented to be smaller at an early stage of the development process,” Egner said. “Taking a secure-by-design approach will mean security is built into the foundations of the product and will limit the cyber risks faced by users, which will ultimately increase customer satisfaction as well.”

While cybersecurity spending is increasing – with 64% of organisations expected to increase their cybersecurity budget further – 44% of organisations are still waiting until a later stage of the design process to consider cybersecurity risks.

Verdict deals analysis methodology

This analysis considers only announced and completed cross border deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,