Nearly a quarter of tech firms do not security check products

Nearly a quarter of organisations polled do not run security checks on products, and nearly a third admitted to shipping products with known security vulnerabilities, a survey shows

Application security is not a priority for suppliers, with 23% of IT security professionals polled admitting their organisations do not carry out security testing on all products before launch.

This is one of the key findings of a survey of 121 security professionals at the 2019 RSA Conference in San Francisco by cyber threat assessment firm Outpost24.

Despite recent vulnerabilities disclosed by Huawei and Asus, it highlighted the importance of suppliers carrying out thorough security checks on technology before shipping to customers. The survey also shows that 31% of IT security professionals have admitted their organisation has marketed a product, which they knew contained security vulnerabilities so they could beat competition.

While 21% said they were not sure if their organisation carried out security testing on products before going to market, only 56% claimed that their organisation did.

“These figures raise concerns about the priority that organisations are placing on security, especially when attempting to beat competition by rushing products to market,” said Bob Egner, vice-president of Outpost24.

“What many of the respondents are clearly forgetting is the damage security vulnerabilities can not only do to an organisation’s customers, but also to brand and reputation,” he said.

According to Egner, if a company ships products which are notoriously flawed with security vulnerabilities, they will not keep their customers for long and may ultimately face legal issues. “The value of beating competition can be lost or even reversed,” he said.

Read more about secure by design

Survey respondents were also asked about when security was added into the development stages of products, with only 56% of respondents saying their organisations add security into the product development cycle at the very beginning, while 29% said they add it in the middle and 15% said they do it at the end.

“Any organisation that is developing and marketing products should look to build security into the design stage, as the cost to correct them is documented to be smaller at an early stage of the development process,” said Egner.

“Taking a secure by design approach will mean security is built into the foundations of a product and will limit the cyber risks faced by users, which will ultimately increase customer satisfaction as well,” he said.

Read more about application security

Secure by design is a principle championed by the UK government and enshrined in the UK’s voluntary code of practice (CoP) to help manufacturers boost the security of internet-connected devices that make up the internet of things.

The first of its kind in the world, the Secure by Design CoP was developed by the Department for Digital, Culture, Media and Sport and the National Cyber Security Centre.

The UK government has also allocated £100m to two secure-by-design programmes for hardware manufacturers aimed at establishing the UK a world leader in eliminating cyber threats to businesses and consumers.

Read more on IT risk management