Some 31% of IT security professionals have admitted that their organisations have ignored known security vulnerabilities in a bid to get the upper-hand over their competitors.
Security flaws in widely-used products have been making headlines of late, with the recent discovery of a vulnerability in Electronic Arts’ Origin platform following on from flaws discovered in products shipped by the likes of Huawei, Xiaomi and Asus. These flaws provided potential ways for malicious actors to infiltrate and infect user systems.
A new study by cybersecurity risk assessment company Outpost24 has highlighted the scale of the problem. Conducted at the industry-leading RSA Conference last month, IT professionals were asked a series of questions about the security testing procedures of their respective companies.
Of those asked, just 56% of respondents were confident that their organisation carried out vulnerability tests on their new products before they went to market. Close to a quarter of organisations do not carry out any security tests before launching a new product. The remaining 21% were unsure whether testing took place.
“These figures raise concerns about the priority that organisations are placing on security, especially when attempting to beat competition by rushing products to market,” said Bob Egner, Vice President of Outpost 24.
A short-term mentality
The problem appears to be that businesses are opting for a short-term approach in a bid to capitalise on customer anticipation. Some 31% of respondents felt that a lack of time to deal with vulnerabilities was the biggest problem putting their organisations at risk of cyberattacks.
Yet, by rushing products out to gain an advantage over their competitors, businesses are putting themselves at risk of damaging their brand and reputation should a security vulnerability be exploited.
“What many of the respondents are clearly forgetting is the damage security vulnerabilities can not only do to an organisation’s customers, but also to brand and reputation,” Egner said. “If a company ships products which are notoriously flawed with security vulnerabilities then they will not keep their customers for long and may ultimately face legal issues.”
“The value of beating competition can be lost or even reversed.”
This short term mentality may be a result of C-level executives failing to understand the importance of good cybersecurity practice. Some 36% said that C-level executives and board members in their organisation lacked understand, while a further 16% where unsure.
Building security into the design stage
According to Egner, thinking about cybersecurity from the very beginning of the product design process could help to keep costs down and avoid damaging the brand should a cyberattack occur.
“Any organisation is that developing and marketing products should look to build security into the design stage, as the cost to correct them is documented to be smaller at an early stage of the development process,” Egner said. “Taking a secure-by-design approach will mean security is built into the foundations of the product and will limit the cyber risks faced by users, which will ultimately increase customer satisfaction as well.”
While cybersecurity spending is increasing – with 64% of organisations expected to increase their cybersecurity budget further – 44% of organisations are still waiting until a later stage of the design process to consider cybersecurity risks.