The software industry has always refused to take responsibility for its own products. Attempt to ask for a fit for purpose statement and software vendors laugh. They have always hidden behind the need for less regulation by saying the industry is in a constant cycle of R&D. The result is that if the software you’ve bought fails to work you only have yourself to blame. It appears that customers are finally wising up to the industry and security vendors in particular.
SentinelOne has released research that shows customers want guarantees from software security vendors. The survey covered 500 companies in the US, UK, France and Germany. It asked companies about cyber insurance and if a guarantee would make them change security vendor. In the US, 95% of respondents want security vendors to offer a guarantee. If that happened, 88% of companies would change security provider.
Tony Rowan, Chief Security Consultant at SentinelOne said: “This survey should be a wake-up call for the security industry. It has long been an anomaly that security vendors have avoided shouldering any part of the blame when products don’t work, when in most other businesses product guarantees are the norm. Taking responsibility when security technology fails would prevent vendors focusing on sales and marketing hype that give businesses a false sense of security. It would also encourage the industry to stop selling snake oil and ensure that security technology innovation keeps pace with that of fraudsters and cybercriminals.”
The rise of Cyber Insurance
Fines for data breaches are on the rise and this will get worse when the EU GDPR comes into force in 2018. To alleviate the financial impact of a data breach or malware attack companies are taking out cyber insurance. Take-up is patchy. In the UK it is 49% while in the US that number jumps to 83%. Surprisingly 20% of UK companies are prepared to take the risk and not invest in cyber insurance. This is completely out of step with the US (3%), France (7%) and Germany (2%).
When asked why no cyber insurance, the UK (65%), US (70%) and Germany (68%) preferred to invest in breach prevention. Cost is also a factor with up to 30% of companies saying it was prohibitive. Worryingly for shareholders and investors it appears that some companies didn’t even know cyber insurance existed.
The growing demand for guarantees
The details around the demand for guarantees is interesting. The question does not just ask about those selling products. It also asks about the growing industry of managed security providers. This is important. Over the last few years companies have been outsourcing their security as they’ve struggled to get access to qualified staff. The demand for security staff has created a wage bubble that is pricing the mid-sized and even some large companies out of the market.
In France (93%) , Germany (95%) and the US (95%) there is a high belief that guarantees should be available. In the UK that number falls to 75% mainly because 18% of UK respondents felt it was not necessary. This is a very strange view and one that it perhaps explained by some of the other data.
Respondents were asked if the primary security vendor/managed service provider will cover the costs of detecting and dealing with a breach. In France (44%), US (55%) and Germany (59%) it seems this is increasingly common. In the UK that number crashes to 24%. There is no real explanation for this in the survey or the press release. It could be that this is something not considered before but the UK generally tracks US trends in terms of technology decision making. This is why the numbers seem very out of kilter.
72% of UK companies do believe that companies should back up their product claims with a guarantee. 51% also feel that any faults should lie with the vendor. This is about the same in other countries. This is also a surprise as it is very low. If this were about other goods such as cars and household appliances that number would be around the 100% mark.
SentinelOne part of a growing band who offer a guarantee
SentinelOne is part of a growing band of companies who are offering a guarantee around their products. It started offering its own guarantee around ransomware earlier this year. Since then other security vendors such as Cymmetria, Trusona and WhiteHat Security have started to offer guarantees.
According to Andy Norton, Risk Officer, EMEA, SentinelOne: “We picked a family of malware known as ransomware. We are saying that we will block/remediate ransomware attacks or pay customers up to $1 million or $1,000 per machine.” To ensure that this is a no quibble guarantee Norton says that customers have to use an agent on the machine and agree to use best practices. He insists that these are not onerous as that would be counter-productive.
How does it work?
Enterprise Times asked Norton if this meant all ransomware families, both those known about today and any future developments. He said: “Yes. We are not so bothered by adjectives such as a description of the file. We look at what the file does and the common behaviours associated with ransomware. On Windows, for example, they try to delete the backups. That’s a behaviour common to all malware families. We also monitor advertising for ransomware where they show a list of file extensions they will encrypt.”
When pressed Norton said that the base price for this was $65 per machine per year. As usual the enterprise discount model applies. But what about the SME, those companies that lack IT staff capable of ensuring policies and agents are installed? According to Norton: “We created a lightweight platform anyone can use. For the enterprise, government and military they want an on-premises solution. For the smaller end of town who don’t want anything intrusive we have a solution tailored for them.”
The devil however is in the detail. When asked about operating system support Norton admitted that it was all Windows at the moment. The positive news is that this is for clients and servers. He told Enterprise Times that OSX support would be there with the next version of the operating system. Linux won’t be supported as it lacks some of the core functionality in the OS that SentinelOne relies on.
There is also no plan or date for mobile support yet. This means that coverage is not quite as wide or comprehensive as SentinelOne or customers would like. However, with ransomware attacks still predominately aimed at the desktop it is a solution that will appeal.
It shouldn’t be a surprise that companies are beginning to ask for guarantees from software vendors and service providers. The fact that the very large players in the industry have yet to decide how they will deal with this also comes as no surprise. Security is hard and it is far easier to blame users than show that products and services failed.
If the demand for guarantees continues to grow it will hopefully cause a change in behaviour from suppliers. After all, these are the same people who are going to protect our autonomous vehicles. At that point their claims to be R&D only will have to stand the test of consumer protection law. If security vendors don’t start addressing this now they could be in for a very rude awakening.