Corporate weak points persist

Vendors' legal liability regarding security flaws must be clarified

The Global Information Security Survey has highlighted the vulnerabilities felt by businesses across the globe.

Malicious attacks are more of a threat than ever before, and organisations are desperately looking to external bodies to shoulder some of the blame or find a solution to ease the burden on business.

Software giant Microsoft's products are often a target for malicious code attackers or virus writers because of its huge market share, and the survey shows that operating systems are exploited in more than half of all malicious attacks.

Software vendors are often criticised for the slowness of their response to holes in, or attacks on, their products.

There has been much discussion about the level of responsibility vendors should take if their technology is penetrated by an attack.

A quarter of UK respondents to the Global Information Security Survey believe vendors should be held legally and financially responsible if their products prove to be vulnerable to attack, as do 39 per cent of Europeans, 33 per cent of North Americans, 36 per cent of South Americans and 31 per cent of businesses in the Asia-Pacific region.

However, 52 per cent of UK companies don't think this is a necessary measure, provided the vendors can prove they have secure development processes. This view is shared by 47 per cent of North Americans, 36 per cent of South Americans, 42 per cent of Europeans and 31 per cent of respondents in Asia-Pacific.

"I agree that vendors' products aren't secure enough," says Peter Pedersen, chief technology officer at interactive betting firm Blue Square.

"Most don't have any form of liability or indemnity in their licence agreements, and reject any kind of liability claims in their software from any impact that may have happened.

"It's very rare that people can claim for any losses incurred. Users are just left to accept software at face value and if it doesn't do the job, then that's tough. Of course, they still have to pay their licence fees at the end of the year.

"Hardware is usually different. If it fails to do the task, there's more scope for sending it back to the vendor. The trouble is that more and more functions that used to be managed by hardware devices are now managed by software, which, of course, is accompanied by a licence that indemnifies vendors from any liability."

Pedersen believes IT suppliers get off too lightly.

"Software vendors do get away with everything, when compared with other markets," he claims. "If ever a software provider is sued, it's very difficult to prove any form of liability. In fact, it's practically impossible."

Tim Pickard, European strategic marketing director at RSA Security, also believes something has to change in terms of responsibility.

"Software quality clearly needs to be improved," he states. "I think software companies need to have a responsibility that they will manage these processes sensibly. That's one thing that has to happen."

But Richard Archdeacon, antivirus specialist Symantec's European director of technical services doesn't believe forcing vendors to take responsibility is an option.

"I don't think this is viable and I don't think anything is going to change any time soon," he says.

"I think there is an increased awareness of robustness being put into place and there is a very good code of practice on how vulnerabilities are released so hackers can't steal a march. I think there's very little chance for liability; it would be almost impossible to implement and I don't think it's practical."

When it comes to satisfaction with the efforts made by commercial system and application software vendors to secure their products against malicious attacks and breaches, just 14 per cent of Europeans were extremely satisfied, as were 17 per cent of North Americans, 10 per cent of South Americans and nine per cent of Asia-Pacific businesses.

A further 14 per cent of Europeans, 15 per cent of North Americans, 26 per cent of South Americans and 25 per cent of Asia-Pacific businesses were extremely dissatisfied, the research found.

Pedersen would like to see a change in the law to force vendors to take more responsibility.

"This won't change unless legislation changes and the government puts more of the onus on the suppliers. This is especially crucial for larger vendors," he explains.

But framing laws for something as universal as technology is not easy.

"Businesses are increasingly looking to the law and to law enforcement authorities," says Jeremy Beale, head of ebusiness at the CBI. "They also want to see more going into co-ordination between US and the UK; there is a memorandum of understanding being discussed and that will be an improvement."

The research shows that the primary method of attack experienced by most businesses is through known operating system vulnerabilities. Known holes in applications were the second most likely places to be exploited, followed by unknown vulnerabilities in operating systems.

According to 52 per cent of North American respondents, 50 per cent of South Americans, 47 per cent of Europeans and 54 per cent of Asia-Pacific companies, the loss of the network is the most common result of attacks, followed by applications including email being unavailable and minor financial losses.

But Graham Nugent, European strategic IS manager at UPS, hasn't found network downtime to be an issue.

"Network outage has not been a problem at UPS because we have taken care to ensure that our network follows the three Rs of networking: robustness, reliability and redundancy," he explains.

Pedersen believes money is the key to good network security. "The only real way to do this is to spend more money on different suppliers, so that you don't rely on one if something goes wrong," he advises.

But Beale doesn't necessarily agree. "One of the important things is that it is not necessarily how much you spend - though that is important - but where you spend it," he says.

"Companies have to realise it is not enough to spend on just one thing, such as a firewall, but they need various different technologies to help detect and deal with threats, and have different levels of security for different types of asset. Security is not just a simple thing."

Companies are often not doing enough until they get hit, leaving their businesses very vulnerable.

As Belae explains: "The vast majority of companies haven't been hit, and only when they are do they realise how difficult it is and how prepared you need to be.

"The board often doesn't realise the issue even if the IT person does."