Don't Let Vendors Sell You Hacker-Friendly Technology
Take these steps to be "security smart" when buying technology
Before you invest in new technology, especially with a new vendor or manufacturer, you need to make sure you're not inadvertently purchasing a problem just waiting to happen.
This is especially important if the devices, gadgets and systems you buy are going to be connected to your network, and ultimately to the Internet—especially if you run a business or make the hardware purchases where you work.
That's because any device that connects to the Internet is a potential entry point for hackers into your network and all your sensitive company data. Remember, for any Internet-connected device (hardware) to integrate into your operations, there is also a coordinating program (software) built into it.
Network breaches at home, at the office.
These types of security breaches through Internet-connected devices happens often in homes. For example, parents buy an Internet-connected baby monitor and camera for their nursery, and hackers sneak into the home's wireless network and spy on the baby.
That kind of intrusion can happen in the workplace as well. A hacker can spy into your business databases and learn about your workplace affairs. They do it the same way, by taking control of a manufacturer's smart device via the Internet and either causing problems with the customer experience or hacking the operational systems.
In one instance, some brands of self-driving cars have been hacked in demonstrations, with the hackers taking over the wheel and destination of the car!
Take control of security issues!
If you're about to buy new hardware device to connect to your network, you must place security at the top of your list. Adding more Internet-connected devices increases the risk of being hacked by outsiders. When you're about to invest in new technology that's going to connect to your network, take a new approach that focuses on security first, and innovation second. It will be better for you in the long run.
- Research the vendor thoroughly. In business, doing your research methodically is known as doing your due diligence. But not many companies take a hard-enough look at vendors and their products. Why? Most likely it's because there's a deadline to meet ("not enough time") or maybe the IT person simply knows of another company that purchased the product, which validates the product in his eyes. But that's not good enough.
- Ask straight questions about a vendor's security tests. One problem today is that vendors rush their product to market because "connectivity" to the Internet is the primary focus—which has the effect of making network security lower on the priority list. That's not an approach that businesses should accept so easily. It's time to start pressing vendors on the security steps and processes they put into their product development.
- Find out what happens if (and when) something does go wrong. Face it. Companies that sell hi-tech products place making the sale above everything else. But you need to make them tell you, in precise detail, what they will do if there are security flaws in their products that they didn't foresee. Vendors have something called security advisories, which are reports they publish when a vulnerability in their product has been discovered or reported. Ask your vendor how complete and detailed their advisories are...or will be moving ahead.
- Get them to answer specific, important questions. As consumers, we rely on a store salesman or product reviews for information. But when purchasing technology that will connect to our network, we have the right to ask important questions, such as:
- If there's a software flaw, how long do they take to "patch" it properly
- What is their timeframe for providing ongoing product support (service, answers)?
- Does the vendor actively dialogue with customers or others to monitor the security of their products?
- What is their stated policy for fixing problems and do those processes meet industry needs or standards?
- Assign someone to keep tabs on products. This may seem like a big task, but someone in your company should routinely be checking websites to see if the products you've purchased—and are using—have been reported to have any security problems. Yes, your vendors should be handling that for you, but you should integrate security checkpoints for yourself.
- Check out if vendors have made any "legal news" and for what. If you hired a construction company, you'd want to know if they had been sued by a client, or vice versa. With a little digging, you can uncover pubic legal information about technology vendors. If you think your IT person isn't up to the task, assign someone on your team who's good at research.
Get it in writing.
As you're reviewing a vendor and their products (most likely through their sales rep), you need to make sure that you get more sincere-sounding reassurances: You should get their responses to your key questions in writing.
If your purchase agreement comes with a written contract, you should have your vendor allow their promises of service and attention to be in the contract. That way, you have more than their word to go on.