Why consumers should not accept the status quo of insecure products
By: Steven Grossman, Vice President of Program Management, Bay Dynamics (@BayDynamics) Too often, the words "cyber risk" do not resonate with start-up entrepreneurs. They are focused on putting the next big, "buzz-able" product on the market. They view cyber risk as something that slows them down and even in spite of the slew of data breaches that have happened in the past several years, they continue to falsely believe their products are secure enough. That false sense of security is especially prevalent among Internet-of-Things (IoT) companies. In 2016, Gartner predicts that 6.4 billion connected things will be in use worldwide and will reach 20.8 billion by 2020. Since there isn't a security standard for the Internet-of-Things that mandates manufacturers fulfill specific guidelines to ensure their products are secure, many devices hit the consumer market with gaping vulnerabilities. Hence the stories about hackers breaking into internet-connected cameras, toys, baby monitors and other technologies that are commonly used in businesses and private residences. Start-ups are not held to the same level of accountability as larger companies that have boards of directors. Every day, I talk to IT and security executives who feel the heat to get it right. They are required to report to boards of directors on a regular basis about what they are doing to minimize the company's cyber risk exposure and show proof that they have made appropriate efforts to avoid consumer backlash. If they fudge any reports to paint a rosier picture of the truth, they could lose their jobs. Similar to how boards of directors hold companies responsible for making cyber risk a top priority, consumers must hold start-ups accountable. Consumers are so accustomed to either reading about or experiencing security vulnerabilities within their products that they are conditioned into accepting it as the status quo and living with the issue or simply "moving on." They do not hold the companies behind the insecure products accountable for their defects and therefore start-ups are not motivated to improve the situation. In collaboration with The Department of Homeland Security, Underwriters Laboratories (UL), an American worldwide safety consulting and certification company, recently announced a new security certification program for IoT products, the "Cyber security Assurance Program (CAP)." Most electrical appliances have UL certifications listed to prove that they are built to not expose consumers to safety risks. Consumers know that when they buy UL listed products, they can feel confident those products are safe. Unfortunately, to this point there has not been a widely adopted cyber security certification that consumers can rely upon. If the UL security program gets broadly adopted, it is a great first step towards having a standard that start-ups can develop to, and consumers can rely upon when deciding which product to buy. However up until that point, consumers must do their homework. In addition to taking available technical measures to protect themselves, consumers should talk with their pocket books and not support companies that are releasing products with security vulnerabilities. They should research product reviews to see if the press or any other customers have reported being compromised due to a security vulnerability. If they are compromised due to an insecure product, they should be vocal in product reviews, insist on a refund, work with their credit card company to dispute charges of products that are exposing them unnecessarily or, depending on the severity of the breach, take legal action. They should not accept the status quo of insecure products. Until there is a more rigorous oversight and review process that mandates that companies build cyber security into their products, start-ups need to understand that if they get it wrong there will be repercussions.
Read More