The 2013 Black Hat conference this past week proved once again that anything and everything can be hacked. Hackers showed how they could take remote command of televisions, home heating equipment, cars, and even -- of all things -- toilets. More than anything, the conference highlighted that many products these days are built for reliability, not security.
But that doesn't mean we can't be smarter about demanding security or even accountability in the event of a cyber-attack. This point was driven home in a survey released by Gartner reviewing software as a service (SaaS) acquisitions. Gartner's survey of SaaS buyers revealed great dissatisfaction in the terms and conditions included in the contracts, specifically because there is typically "very little security language" in the contracts. What language does appear is usually vague and quite malleable, leaving customers with little in the way of security assurances. There also is typically minor consideration given to naming the customer as an additional insured under the SaaS vendor's policies.
What does that effectively mean? It means that companies may be getting smarter about cybersecurity threats, but are still not implementing comprehensive plans to ensure cybersecurity across the enterprise, which is a grave mistake. Cyber-attacks can come from any number of directions, and if companies simply focus on locking down their internal systems they will ignore the threat posed by outside vendors. Letting data flow back and forth to outside servers, the "cloud", or whatever you want to call it, in an insecure fashion could functionally nullify all the security measures a company could take.
The danger here is well-illustrated by the claims Wyndham Hotels is currently facing from the Federal Trade Commission (FTC). Wyndham, which suffered two major cyber breaches in a quick (limited, short?) space of time, is alleged to have allowed the breaches to occur by virtue of inadequate security such as insecure connections to third parties. Whether the FTC actually prevails is almost immaterial at this point, rather the fact that such theories of liability are being asserted is warning enough that companies need to address external as well as internal cyber vulnerabilities.
So that brings us back to the Gartner survey. If companies are dissatisfied with the security language in their SaaS contracts, then they need to start putting some greater effort behind inserting such language in contracts. Companies shouldn't accept vague platitudes or promises about using "reasonable" efforts to secure their systems. Instead, specific measures and goals need to be required and -- more importantly -- considered non-negotiable.
Of course part of the question is what should companies demand from their outside vendors with respect to security? A number of options exist, including the potential cyber framework to be created by the National Institutes of Standards and Technology under President Barack Obama's cyber executive order. Companies could also demand the use of Cybersecurity technologies that have been validated through other programs such as the Homeland Security administered "SAFETY Act", which determines whether products are useful and effective against cybersecurity threats. It costs the customer nothing to demand that their vendor move through this process, while the vendor gains a valuable independent measurement plus possible liability protections.
At the end of the day, though, companies must be smart about buying informational technology products and services. The cyber threats are too pervasive to be lax in terms of demanding security from their vendors. It may save a few dollars to require less security up front, but they can be almost certain to pay on the back end. The ends will justify the means.