Organisations care way too much about money and not enough about ethics when it comes to people’s security, says Tom Brewster
Now the Heartbleed panic has finally subsided, it’s time for the post-mortem. From early analysis, one thing has become apparent: organisations need to improve oversight of their coding. Whether they’re organisations of disparate membership, or cohesive units creating proprietary kit, there are too many severe vulnerabilities being disclosed on a frequent basis.
It’s a question of responsibility. Do organisations care enough about their users’ privacy? The answer appears to be ‘no’. They care about users’ data staying safe not because of some altruistic motive, but because they are worried about losing money as a result of a breach.
This was made apparent during a panel debate in which your reporter took part. Javvad Malik, an analyst from 451 Research, was talking about a company that was told if they released a product it would almost certainly be compromised by criminal hackers. The firm asked how much financial damage such an attack would do. They were told £250,000. Then they pushed the product out, despite knowing the severity of the flaw. Why? Because the web app they had put together was projected to make them millions.
Granted, taking risks is part of everyday business. It’s often what makes the difference between a market leader and a market loser. But how long would it have taken to fix that vulnerability? Would it really have been too much effort to get working on a fix ahead of the product’s rollout? Isn’t security a selling point in itself by now? Apparently not.
In a survey carried out by Trustwave, which was hosting the panel (full disclosure: they paid your reporter to contribute to the discussion), 79 percent of respondents said they’ve been asked to rush out a service despite security concerns.
That figure is too high. People’s privacy should matter more than it currently does. Companies have to get better at secure coding and delivery of secure products.
Jeremiah Grossman, Whitehat Security’s chief technology officer and founder, put it perfectly when he told me: “Our industry is backwards… We need software security not security software.”
Put simply, it’s time ethics played more of a part in businesses’ information security and digital risk strategies. Not only will it be positive for their current customers’ safety, but will help draw in more of those customers who care about privacy. Ethics and capitalism don’t always have to be mutually exclusive.
Are you a security pro? Try our quiz!