Sign up for our newsletter
Technology / Cybersecurity

Why software for SMEs needs to be trustworthy, not just secure

Small businesses in Britain will get access to guidance to reduce flaws in software that demeans their security and productivity, via the government supported Trustworthy Software Initiative (TSI).

Its ‘Trustworthy Software Essentials’ programme will give SMEs guidance compiled alongside Universities, multinationals and Government bodies, to help them reduce glitches in software that stall the progress their business can make.

Small firms are depending more and more on web based tools for critical business operations, making them increasingly vulnerable to critical software flaws and cyber attacks.

The emphasis from these firms tends to be on security, but the TSI, which came out of an international meeting and partnership formed in 2009, wants to make sure the conversation is about trustworthy software, not just how secure it is.

White papers from our partners

"We are very concerned about the security of software, but we prefer the term trustworthiness, because that actually has slightly more criteria than security," Tony Dyhouse, Stakeholder Director at TSI told CBR

"There are 5 things that software needs to be trustworthy," he said. "It needs safety, it needs reliability, it needs availability, and it also needs resilience and security."

Dyhouse understands that there are significant resourcing issues for small firms, who have to make sure that every penny of the budget and every minute of time is used as effectively as possible.

However the risks they take with glitchy and insecure software are also greater. "A lot of small businesses buy proprietary software or write their own software. It’s that software that can cause them the problem and if it’s not available then of course that can have quite a serious business impact," he said.

Indeed, the trustworthiness of software is becoming an increasingly business critical issue. Back in February 2015, the government’s Cyber Streetwise campaign found that SMEs were putting 32% of their revenue at risk as they were following common misconceptions around cyber security. They risked financial and reputation damage as a result.

The Cyber Streetwise campaign also said that "66% of SMEs don’t consider their business to be vulnerable," while just 16% said that improving their cyber security is a top priority for 2015.

Common misconceptions were that only firms who took payments were at risk, something believed by 26% of those that responded, while 22% believed that hackers do not target small firms.

Dyhouse, who has worked in cyber security for around three decades, said that it is right that firms are concerned about, and secure against, hacking of their systems. He also said that small firms with sensitive data and IP are every bit as interesting to cyber criminals as large firms.

However, he said that "What we’re more concerned about is the everyday errors that cause software to fail."

In that 2015 government survey, 24% of small businesses said that they thought that cyber security was too expensive to implement, while 22% admitted that they ‘don’t know where to start’.

Dyhouse appreciates this, and said "It’s not an easy job to look at all your software and make sure it has all these particular facets, and a lot of people think oh this is just the domain of the big companies who have the resources to do this."

"It can involve quite a lot, but what we’ve been saying to small businesses, you’ve got to cut down the procedure you use."

Part of the problem, he said, is that increasing numbers of systems that were never meant to be joined together, are now being connected.

Dyhouse said that this is particularly a problem in larger industries: "We’ve seen this a lot in business controls systems, industrial control systems or SCADA systems, as they’re known, where the systems were designed to operate very much on their own, but for various they become connected to each other via the internet or sometimes directly.

"When the software was originally written that was never specified that it was going to have to work with another system, and so we often find that causes problems. "

One example of this problem he gives is with air traffic control systems, noting that some of them "have been around since the 1960s."

Another example is systems in vehicles such as cars or aeroplanes. "If you take aeroplanes and automobiles," said Dyhouse, "historically they’ve had engine control systems and technical control systems, which are obviously not meant to be accessed by passengers, and they’ve entertainment systems which show film and music which are meant to be worked on by passengers, but what we’re finding is that those two systems have become joined."

For big business like car or aeroplane manufacturers, and their customers, the matter of cyber security and resilient software may literally be one of and life and death. For small businesses, the issue of having software that is truthworthy could mean the difference between making a profit or going out of business.

Dyhouse said: "What would happen if [an SME] weren’t able to send any invoices out for 24 hours, or if a customer database become corrupted and inaccessible?"

Dyhouse describes software "as the lowest common denominator" across a variety of hacks. "Why are these attacks successful?" he said. "The answer is faults in software."

He expresses particular exasperation at the fact that far from the problem being caused by new vulnerabilities and zero-day attacks, certain vulnerabilities have remained unfixed for years.

"We still read about buffer overflows, for example, which have been known about in the security industry for 20 years, so the fact that we still have buffer overflows in our software the vulnerability to exploit buffer overflows in software is a bad thing. We’ve haven’t learnt from our own mistakes," said Dyhouse.

Dyhouse accepts that errors also arise because of the tight development schedule that the people writing the software are on are. He said that "the race to get products onto the market" means that some products are "coming onto the market before being adequately tested."

He said that developers are "not allowed enough time to get better software out there."

With the new resources it is making available to SMEs for free, as well as the public standard in trustworthiness is has helped develop, Dyhouse and his TSI colleagues are working to make the IT landscape one that SMEs cannot just be secure in, but one that they can trust.
This article is from the CBROnline archive: some formatting and images may not be present.