Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Technology

Posted By Jessica Weisman-Pitts

Posted on October 29, 2024

Proactive and Responsible Disclosure Strengthens Business Cybersecurity

Jim Richberg, Head of Cyber Policy and Global Field CISO at Fortinet

By Jim Richberg, Head of Cyber Policy and Global Field CISO at Fortinet

Cyberattacks on businesses are growing in size and complexity, with almost one in three UK firms suffering an attack in the past year. With threat actors targeting businesses regardless of size and industry, attacks are now a matter of “if” and not “when.”

Identifying and disclosing vulnerabilities before they have the chance to affect the wider business is crucial to lowering the risk of an attack. With most vulnerabilities stemming from coding errors, early detection is key to protecting devices, businesses and customers from cyber threats. Ensuring this is done responsibly by aligning with government standards and communicating with customers on new and existing vulnerabilities plays a crucial role in protecting businesses against future threats.

Making impactful change

All digital devices and software are built on code. According to one recent industry analysis, an average software code sample contains 6,000 defects per million lines of code. Research indicates that about 5% of those defects can be exploited, roughly translating to three exploitable vulnerabilities for every 10,000 lines of code. In a world of imperfect code, who would we want to find the problems — the manufacturer, users and third party researchers, or malicious actors? While having users or third parties find problems is a common approach, a product’s manufacturer usually has the greatest expertise and resources to bring to bear to finding problems and vulnerabilities.

Every producer of IT products and services is responsible for following robust security standards at all stages of the product development lifecycle. These vendors must also practice responsible radical transparency and proactively search for and disclose vulnerabilities in their software. If a defect poses a security vulnerability it should be reported as such, and not labelled a functional fix or performance upgrade, since many large organizations will apply security patches but are more selective in applying functional fixes. Mis-labeling a security vulnerability as another type of problem doesn’t fully inform users of risk. Practicing radical transparency not only protects product users before they are exploited but also allows other organisations to examine their own code for similar vulnerabilities. There are several ways to do this; self-discovery through rigorous manual code analysis, penetration testing and automated fuzzing; encouraging third-party threat researchers to report discovered vulnerabilities to vendors; and detection via indications of active exploitation (where an organisation discovers a vulnerability itself).

Not all organisations follow the same standards for transparency in vulnerability disclosure regardless of how the gaps in defence are discovered. While there are a number of industry best practices for encouraging responsible disclosure processes, including the National Cybersecurity Centre (NCSC)’s Vulnerability Disclosure Toolkit, adhering to these guidelines is unfortunately not required.

Ensuring collaboration and transparency

IT manufacturers who prioritize building security into their products and services from day one benefit in a variety of ways, ranging from producing more secure offerings that will require less security patching after delivery to building a solid foundation of trust with customers, partners, and the public. Measures manufacturers should include aligning to industry-recognized standards from government organisations, such as the NCSC in the UK and the Cybersecurity and Infrastructure Security Agency (CISA) in the United States.

Also, having timely and ongoing communication with customers is essential in protecting and securing businesses from external threats. Doing so allows for threats to be responded to appropriately. It also allows for remediation measures to be quickly and transparently published. Robust communication enables everyone within a business to understand where associated threats may lie, allowing teams to be proactive in taking additional cybersecurity measures as needed.

Understanding the potential for vulnerabilities to surface while setting high standards for responsible development and disclosure to mitigate them empowers businesses to make informed risk-based decisions about their cybersecurity. To take this one step further, once this policy has been implemented by an organisation, the next step is to adopt a ‘secure by design’ approach.

Secure by design is a concept that prioritises security as a core business requirement. Secure-by-design covers every stage of product development, from concept to end-of-life, while also operating in accordance with leading standards such as NIST 800-53. Embracing secure by design principles also encompasses being transparent about potential risks, proactively disclosing vulnerabilities, and sharing actionable steps to help customers improve their cyber resilience.

Introducing a comprehensive framework

As the threat landscape grows more complex, customers will begin demanding that their vendors embrace secure by design principles, making this approach far more than a “nice to have” feature when procuring software.

For technology providers, having an effective cybersecurity framework in place is vital and requires a continual commitment to transparency, collaboration, and proactive vulnerability disclosure. With code defects posing significant risks, leaders must identify, patch, and disclose vulnerabilities responsibly. Ensuring responsible disclosure empowers organisations to make more security-informed decisions, which improves cybersecurity for all.

Recommended for you

  • The Future of Asset Management: Technology-Driven Innovations and Client Expectations

  • How can we ensure privacy in the digitization of healthcare?

  • Quantum Computing: Unleashing Disruptive Potential and Strategic Industry Implications