Why the Tech Industry Needs to Rethink Product Security

essidsolutions

Tech startups need to make cybersecurity a higher priority, both within their companies and within their products. This is an issue many startups struggle with, but Reuven Aronashvili, founder and CEO of CYE, discusses how proper human resources, organizational design and a shifting mindset can help companies achieve better security.

The tech industry, by definition, is highly exposed to supply chain attacks, ransomware and other cyber risks. In fact, 68%Opens a new window of startup founders have experienced an attack on their company.

High-tech companies are more exposed to cyberthreats for many reasons, including their reliance on cloud-based technology, their valuable intellectual property and the high volume of data they often have, including data for their products, and personal information from customers using their online services. They are also quick to embrace new technology and, in general, take more risks than traditional companies.

Due to this ingrained higher nature of risk, tech companies need to take additional steps to make sure they–and their products–are secure. Good cyber posture and threat intelligence are not enough. Tech companies need to think more about the security of their products, clients and users from day one; they need to build cybersecurity into the design of their products and business.

Every Startup Needs a Head of Product Security

A product security officer is often a position that does not get created until the later, more mature stages of a tech business–or until the business is breached or attacked. But this is a mistake. Bringing on or appointing a head of product security needs to happen at the founding stage.

This person can help make sure that companies design and market their products with security in mind; that they choose secure over fast rather than the other way around. Such a position is even more critical now as regulations and industry requirements continue to increase, especially in industries like finance, healthcare and other critical infrastructure, which affect not only those sectors but also startups operating as service-providers in fintech, AI-powered data analysis systems or smart devices.

This executive not only improves product security itself, but the existence of such a position also sends a strong message to both clients and the rest of the company’s team about prioritizing security and privacy.

See More: The Top 3 Needs of Application Security Today: Context, Visibility, and Control

Choose Security over Experience: Data Access Should be Closed by Default

Cybersecurity should be an integral part of the engineering process. In an ideal world, everyone would build software with open code, which makes it much harder for attackers to hide out in networks, which often happens before the supply chain and other attacks. But, alas, that is not going to happen in the competitive world of software development. So other steps must be taken. 

Among the important changes that need to happen is that products should be built with all access to data closed by default. This means that users would need to change the settings from a default of closed to open. Today, for perfectly understandable business reasons, most products are not built this way; as doing so could hamper the user experience or result in a loss of revenue.

But when it comes to their long-term security and ultimately, success, companies can no longer have everything open, and then users need to close it off. Although releasing products with most settings closed will alter the user experience and initially make it seem a bit more cumbersome, this is the only way to achieve better security and avoid future business losses due to security risks. 

Code-signing should also be more widely used, as that would alert developers if any changes were made to the code before they use it, helping to spot breaches or potential backdoors for attackers before the code is implemented into a new product. In addition, developing better source-code scanning technology, and using it more widely, is important for flagging vulnerabilities. Developers should also undergo regular training for building a product with a secure lifecycle; someone would never let an untrained architect design a building. The same attitude needs to be embraced in the tech and software sectors.

Understanding a Company’s Role in the Software Supply Chain

Many tech companies are part of the software supply chain, either providing services via the cloud or receiving them. It is especially important that companies pay more attention to the services they use and receive, especially anything connected to their products or even platforms for sales, marketing or billing, which often involve large amounts of customer or product data. 

Startups need to work with the SaaS companies they get services from to understand exactly what kind of penetration and other proactive testing they have carried out. Startups also need to make sure these service providers have the correct security authorizations needed to be part of specific industries. In addition, startup decision-makers should understand the security within cloud companies themselves, including the background of employees and who has access–or could gain access- to the physical servers that contain sensitive data. Bad actors inside cloud service companies—or even employees who lack security training and are vulnerable to phishing attacks or online extortion that could result in information leaked to a potential attacker—are a danger that should not be overlooked.

A Data-based Approach to Prioritization

As attack surfaces grow, tech companies need to prioritize what to protect in their products and within their businesses so they can continue to successfully develop and market their products. The first step in prioritizing protection is to carry out risk quantification. Not every vulnerability is significant and demands protection, or at least the same level of investment in protection. In carrying out risk quantification, companies should rely on data to determine how much financial and business-continuity risk each vulnerability presents and how much it costs to fix.  This will help prioritize what to fix, and which solutions are most appropriate. Another essential factor in carrying out risk quantification is to include the entire organization and its products—and not just look at what has been included in previous risk quantification exercises.   

This approach requires close cooperation between an organization’s cyber teams, development teams and business leaders in order to fully understand the relationship between products, businesses activities and assets and cyber vulnerabilities. This cooperation will create an environment that encourages secure design and ensures a security-minded approach throughout the organization.

As the world relies more on tech solutions in every field and industry, the number of cyberattacks will only keep growing – and customers will become more security-minded and selective about the services and products they use. This means that the startups providing those products and services must integrate security from day one. This is the only way that startups will ultimately be competitive and successful in the long term.

How are you integrating security into your products and services? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to know!

Image Source: Shutterstock

MORE ON APPLICATION SECURITY: