This came up in a Brightalk the other day with and Kaspersky and it has really been bothering me.
Cyber Essentials
At the moment in the UK, SMEs are being encouraged to adopt Cyber Essentials – a minimum baseline in information security. Before we all start bashing it, remember, it is just that – a minimum baseline and so should be encouraged. If you can help SMEs go over and above it, then please go help them.
ISO27001 compliance
Larger organisations may also adopt ISO27001 or one of the similar standards – again, a minimum audited security standard proving you are at least doing something about security.
No Minimum Security Standard
However, the problem comes when they use their processes and procedures to create a product. There is no minimum security standard in the manufacturing process (that I have seen adopted) that says this product is:
- Not open to the internet,
- Complies with a minimum security standard,
- Default credentials are not invoked,
- Bluetooth connections require some securing before connection,
- Your user data isn’t going to be disseminated plain text,
- Passwords are encrypted appropriately,
- There is no data collection.
I wonder how many large breaches, DDoSs etc would be removed by at least having this security culture adopted by manufacturers? And the problem is going to grow as consumer goods leak in to companies – internet enabled security cameras and web enabled printers.
The Information Security KiteMark
You see, it isn’t about the manufacturers adopting the minimum, but if it was a kite-mark that they have achieved, then some will go above it. Some may even think, you know what …. let’s do this properly.
As it stands, there is great work being done to create security cultures in organisations who then make insecure products.
But I guess where do we start?
It has to be international, but ISO is not for everyone, not everyone has the budget to adopt it, and not enough auditors.
What do you think?
[gravityform id=”1″ title=”false” description=”false”]
Leave a Reply