Founder and Principal Analyst, ZK Research with a focus on emerging technologies that enable organizations to transform digitally.
The likelihood that your organization will experience a data breach is rising at an alarming rate. According to the Verizon 2023 Data Breach Investigations Report, the numbers of ransomware attacks in 2021 and 2022 were higher than the previous five years put together, and according to Fortinet’s semiannual Global Threat Landscape Report published in August, ransomware shows no signs of slowing, with ransomware activity ending 13 times higher than at the start of 2023. If your organization isn’t already looking for ways to upgrade your cybersecurity measures, it’s time to better protect yourself against what can be devastating consequences.
The Multifaceted Ramifications Of Cyberattacks
Cyberattacks can be disastrous for your organization. Reputational damage can lead to lost business now and in the future. According to IBM’s latest data breach report, the average cost of a ransomware breach was $4.54 million in 2022
Weeks or even months of lost productivity can hobble even the most well-organized organizational machines and even lead to deadly consequences. In 2020, a lawsuit alleged that a baby born in a Mobile, Alabama, hospital missed life-saving medical care because ransomware had shut down the hospital’s IT systems.
Vulnerabilities Are A Good Thing
Businesses that want to protect themselves from this ever-growing threat will need improved cybersecurity services, but choosing the right provider can be frustratingly complicated. One signal that a cybersecurity platform is reliable is that it discloses multiple vulnerabilities.
Though it might seem like multiple vulnerabilities would be something to shy away from when assessing new cybersecurity partners, I believe the opposite is true. If a company discloses vulnerabilities, that means they’re actively seeking them out and proactively reporting them—both measures that can keep their clients safer. Any forward-looking security vendor is consistently looking for ways to engage and inform their customers so they can institute mitigation best practices and to patch their systems.
If a cybersecurity company claims to have zero vulnerabilities, that should be a red flag. If you see a vendor that claims no vulnerabilities, that’s almost certainly because of a lack of disclosure, not a lack of issues.
Vulnerability Best Practices To Ask A Vendor About
When searching for a new cybersecurity partner, here are some questions to ask to better assess the effectiveness of the vendor’s products.
1. What product testing methods are in place?
The best time to discover vulnerabilities is before bad actors do. Your cybersecurity vendor should have internal and external testing integrated into all stages of the product development lifecycle, including static application security testing, dynamic application security testing, software composition analysis and penetration testing, among others. Together, these types of testing should cover most common vulnerabilities.
Why don’t all cybersecurity vendors thoroughly test for vulnerabilities? Testing costs money. Smaller providers may cut corners to get a product to market faster, then patch as vulnerabilities are discovered, typically by clients. If you interview a vendor who discloses only a few or no vulnerabilities, this may be why.
2. What is the ratio of internal to external discovery?
Cybersecurity vendors discover vulnerabilities either internally, via an internal team that is hired to try to “break” the system, or externally, where an outside team is hired to do the same, or from a breach. The best-case scenario is that the ratio of internal to external discovery is skewed more toward internal, which means the vendor is taking a proactive approach to keeping its customers safe.
Be aware that numbers alone don’t tell the full picture. Large numbers aren’t necessarily bad, and small numbers aren’t always positive. A company with 50 or more products will likely have many more disclosed vulnerabilities than a company with only five products, but that doesn’t mean that their products are inherently less secure. They simply have a larger pool of products in which to find issues.
3. Does the vendor include secure supply chain innovations?
Cybersecurity vendors don’t make every piece of their products. Just like your cellphone is made from chips from one company, glass screens from another, etc., cybersecurity platforms are amalgamations of independent parts. Ask your vendor if they test each component of their solution both independently and together in different configurations to check for vulnerabilities.
4. Does the vendor belong to reputable organizations dedicated to responsible disclosure and transparency?
With no overarching regulations that direct companies on how to find and disclose vulnerabilities, most companies will disclose (or not) according to their own standards, which can be confusing for consumers.
Organizations such as the Network Resilience Coalition and FIRST bring together industry leaders to improve the security of data and set standards for disclosure and transparency. Being a member of an organization such as these signals that the vendor is committed to proper disclosure of vulnerabilities.
Disclosure Leads To Better Security
While a scant list of vulnerabilities might seem like a positive, it’s likely just a hiding place for issues that could lead to devastating data breaches for your company. When looking for a new cybersecurity provider in this era of frequent cyberattacks and breaches, make sure to ask the right questions and consider that a company with ample disclosed vulnerabilities may be a more trustworthy option.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here