Introduction
Consumer trust is a vital asset for any business, especially in the digital age where data breaches, cyberattacks, and misinformation are rampant. According to a recent Forrester research, consumer trust for businesses will see a 10% decline in 2024. Consumer skepticism will be at an all-time high, and consumers will call out any mismatch of brand values and any evidence of greenwashing. Moreover, the continued spread of misinformation will affect all companies, regardless of their size or industry.
For businesses that operate in the cybersecurity domain, trust is not only an asset, but also a product. As a security provider, you offer trust to your customers, who rely on your solutions to protect their systems, data, and reputation. However, trust is also fragile and hard to restore, especially when it is violated by critical vulnerabilities or cyber incidents related to your product. This makes your customers lose trust in your solutions, and potentially switch to your competitors or alternative options. According to the World Economic Forum’s Global Cybersecurity Outlook 2024, 41% of companies suffered a material incident in the last 12 months that was caused by a third party.
The SolarWinds hack: A wake-up call for security supply chain management
One of the most significant cybersecurity incidents of 2020 was the SolarWinds hack, which compromised the networks of several US government agencies and private companies, including Microsoft, FireEye, and Cisco. The attackers, infiltrated the systems by inserting malicious code into the software updates of SolarWinds.
The SolarWinds hack exposed the vulnerability of the security supply chain, which refers to the network of vendors, partners, and third-party providers that deliver software, hardware, and services to an organization. The hack also demonstrated the difficulty of detecting and preventing such sophisticated attacks, which can have far-reaching consequences for national security, business operations, and customer trust.
The SolarWinds hack serves as a wake-up call for businesses to improve their security supply chain management, and to adopt a zero-trust approach that assumes that any system or entity could be compromised. Businesses should also conduct regular assessments of their security supply chain, and implement best practices such as encryption, authentication, and segmentation. Moreover, we need to include cyber security into our liability discussion. Procurement and legal must improve on bringing cyber liability of providers into the contracts to account for the risk that comes with our digital services. Also, replacing vendors due to a streak of vulnerabilities or security violations must be on the table.
US SEC also included cyber security into regulations in December 2023, focussing on more transparency for investors and eventually the public. The SEC also charged SolarWinds CISO with fraud based on their allegedly insufficient disclosure tactics.
The Ivanti VPN vulnerabilities: A reminder of the importance of patching
The Ivanti VPN vulnerabilities discovered in early 2024 highlighted the importance of patching and updating software, especially for remote access solutions. CISA issued an emergency directive and Ivanti released patches to address the vulnerabilities, but the incident caused significant reputation damage. Research shows that Ivanti uses software a good amount of software libraries that are outdated for 10+ years. When your product is to offer trust, this is grossly negligent.
The Fortinet Zero Days: A case of discrepancy between reputation and reality
A third cybersecurity incident that affected consumer trust was the disclosure of zero-day vulnerabilities in the FortiOS operating system, which is used by Fortinet, a leading vendor of network security products and services. The vulnerabilities could allow attackers to take over the devices running FortiOS, and gain access to the network traffic and data.
The Fortinet zero days were particularly damaging for the company’s reputation and legal liability, as they were discovered after Fortinet was named a leader in the Gartner Magic Quadrant for Network Firewalls. The company faced criticism from its customers and shareholders, who accused it of failing to disclose the vulnerabilities in a timely manner, and of misleading the public about its security capabilities .
Still, Fortinet is one of the leading vendors for security and widely used. As replacing vendors is time consuming and costly, you still should look into how to protect yourself legally and with liability clauses. Also, researchers from the usual sources that are used for vendor selection must incorporate the vulnerability track record of the vendors.
Conclusion
Consumer trust is becoming more important and challenging in the digital age, especially for security vendors. SBOM, which stands for Software Bill of Materials, is a tool that can help with software security and supply chain risk management. It is a list of all the open source and third-party components present in a codebase, along with their licenses, versions, patch status, and vulnerabilities. SBOM can provide visibility and accountability for the software components and their relationships, and help identify and address any security or license risks.
However, SBOM is not a silver bullet, and it requires collaboration and compliance from the software vendors and users. Security vendors are forced into more transparency, but they also need to ensure that their products are secure and reliable, and that they disclose and fix any vulnerabilities promptly and effectively. Customers, on the other hand, need to verify and validate the SBOM information, and to apply patches and updates as soon as possible. Companies will also take more rigorous action in the future if they find out that their trust has been violated by the security vendors, such as switching to alternative solutions, filing lawsuits, or reporting to regulators. Therefore, both security vendors and customers need to work together to build and maintain trust in the digital age.