Already another in a series of watershed years for cyber-security, 2015 ended with a noisy bang when Juniper Networks revealed in late December that they had discovered unauthorized code embedded within products that could allow hackers to decrypt VPN connections and access what were thought to be secured communications. The story quickly turned into something more than a technology story with suggestions of who may have been behind placing that code in Juniper products. But I’d like to bring this story back into more of a corporate IT focus and drill down a bit into the implications for organizations related to the implications of software hacks. There is a growing argument that software companies should be held legally liable for security breaches that result from insecure code. Knowing what we know about the tendency for legal matters to pull in as potentially culpable anyone within an arm’s reach of potential blame, it’s not so far of a reach to think that at some point this argument will extend to the companies using this insecure software when it results in a breach of consumer information.
This potential expansion of liability (legal or otherwise) should be at the forefront of organizational consideration for those looking at software and in particular mobile applications to engage with customers. The reality of this is essential for all organizations large and small, and for good reason. The average consumer with a smart phone has more than 25 applications on their device, spending 2-3 hours of time per day on their devices. This has both major and minor consumer brands scrambling to create new paths of engagement through an endless array of mobile applications. These organizations will increasingly find they need to keep an eye on two areas of growing risk: satisfying the consumer’s expectations for security and the potential for legal liability stemming from a data breach.
Let’s explore the consumer expectations first. At Radware, we recently commissioned a survey of over 2000 consumers on their use of cloud-based apps, and their concerns regarding security of their personal or financial information. The survey revealed both predictable and unexpected results. One of the areas where responses were most interesting is that consumers’ general view that security incidents will occur, but they expect strong remediation when they result in consumer data loss.
Consumers do understand there is risk. The overwhelming majority (87%) agree that cloud-based apps can get hacked and more than two-thirds (69%) of consumers believe that the more popular an app is, the more likely it is to become a target for hacking.
So how will they respond? What will these consumers do if and when a breach occurs? For starters, you can expect many of them to abandon your app. More than half (54%) of consumers say they would stop using a cloud-based service if it was hacked. What’s not clear from this number is how many will turn to more traditional means of engaging with products and services versus turning to a competitor either out of sheer frustration over the breach or the availability of a assumed more secure application.
Consumers also have the mindset that when breached, companies have a responsibility to make things right. When asked if providers of cloud-based apps should offer compensation or identity theft protection to customers affected by a breach, an overwhelming 85% said yes. Providing compensation or some type of identify theft protection services could potentially stop those customers from abandoning the service.
Consumers have come to trust other third parties to shield them from the long-term impacts of data theft, be that banks protecting credit card accounts from fraudulent use or identity “lock” services keeping credit and other fraud at bay. So it’s a natural extension of these established behaviors for consumers to expect companies to protect and mitigate their personal losses in the event of a breach.
Legal Liability
For many companies the ire of customers is enough to push them towards change and improvement in user experience and satisfaction. For others, it sometimes takes a little more legal liability. The topic of legal liability related to software-based security breaches has been coming up more and more within the security arena. At last year’s Black Hat conference, the event’s founder Jeff Moss addressed the topic and proposed that there is an inevitability of liability on the horizon, at least for software manufacturers. One can quickly make the short jump to suppose that such action would also find its way to the hardware manufacturers where vulnerable software created by the manufacturer is in use.
For many organizations, this next jump (while by no means a certainty to occur) would create significant challenges in managing risk. The fact is that relatively few of the myriad applications consumers have on their mobile devices were created by the companies whose brand and business is the target of engagement. Often, consumer applications for major brands are designed, built and managed by outside third-party application companies.
IoT
Oh, and by the way, this all about to get much, much more complicated. There is an impending accelerant to the whole application security debate: the Internet of Things. As a wave of billions of connected devices make their way onto the Internet, expect an explosion of both targeted threats and unknown vulnerabilities. Clearly, the IoT movement has many non-technology (or at least security) focused companies jumping into the networked world. These organizations need to ensure they are adopting into product development stringent security as part of a Software Development Life Cycle. Applications and new code need to be put through a Quality Assurance (QA) process that tests for security vulnerabilities. This vulnerability management process also needs to be applied not only to the development of the devices themselves, but also any networked components, such as databases or systems in the cloud serving and storing data from these devices.
What we know is this, when a data breach of sensitive consumer data occurs, few if any consumers will take the time to understand the intricacies of who-did-what to expose data. They will simply assign blame to the brand and (if you rely on the results of our recent research) about half will take their business elsewhere. However, as the stakes of data loss increase, the legal arena will get involved. Safe to say that segment will take the time to create deep and detailed paths to culpability in an effort to expand its legal footprint.
None of this is meant to scare off companies considering engagement via applications. Indeed, it is quickly becoming a necessity in the same way transactional websites became a necessity for retail oriented businesses over the past 10 years. The point here is to put more emphasis on the importance of secure software development practices. Whether it’s built-in house or outsourced, these organizations need to ensure these providers include stringent security as part of their Software Development Life Cycle. Consumers generally assume that mobile apps have been through a rigorous Quality Assurance (QA) process. In fact, there are no standards regulating this process.
And of course, recognizing that no SFDC no matter how well managed can ensure 100% protection, these applications need to supported by appropriate web application threat protections that can keep up with the threat landscape and guard against the unknown vulnerability present in all applications.
As a final step, organizations need to make sure that they communicate with users regarding their security measures as well as the remedies they have in place in the unfortunate event that their systems become compromised. Having the technology in place to prevent and/or mitigate a hack is just as important as having a contingency plan in case security is breached. As more and more cloud-based apps are deployed, consumers will continue to raise these concerns and security may be one of the critical factors that helps an organization attract and keep a loyal customer base.