According to an article on Kaspersky’s Threatpost.com, security researchers became upset with Oracle's slow efforts to update major security flaws in its Java cloud services and decided to publicly announce the flaws in order to push the software company to make faster changes.
After waiting two months for a response from Oracle, researches grew increasingly concerned that the nearly 30 flaws could be combined in a way that exposed users’ data and allow hackers to attack with a remote code execution.
This news comes out as IT companies are scrambling to fix OpenSSL to prevent damage from the Heartbleed bug. While these two news stories are unrelated, they both tell the same tale: even industry-standard software and cloud services come with risk.
What Does a Small IT Business Do When There's a Security Flaw in Third-Party Software?
While you might think that SaaS or enterprise software from a major company like Oracle would be bulletproof, the truth is that it's impossible to predict which software has security flaws.
If you follow our blog, you'll know that in the last six months we've reported on flaws in products from Microsoft, Apple, Android, Google, and now Oracle. You couldn't find a more distinguished list of tech companies.
Flaws can happen in any piece of software, even if the company that made it is an A-list tech company. Where does this leave a small IT business that must use these products?
Say you build an Android mobile app for a client, only to find out that old versions of Java have a security vulnerability that can be exploited to expose client data. (See our article, "Stale Coffee: Old Versions of Java Expose Programmers to Cyber Liability" for more details.) Can you be sued over a flaw in Java?
In these situations, small IT companies can in fact be sued. Weaknesses in certain versions and platforms (whether it's OpenSSL, Java, iOS, or something else) can lead to major data breaches, service outages, and other problems that lead to lawsuits.
It might seem unfair that you're sued for problems in another company's product, but that comes with the territory of being an IT consultant. You are responsible for the security of the products you design or recommend, even if the flaws are caused by another party.
(To learn more about the unavoidable risks of using third-party software and services, see "Help Your Clients Understand the Risk of Third-Party Contractors.")
How to Protect Your Business from Third-Party Risks and Data Breaches
The news about Oracle goes to show you that IT companies are always at risk. So what do you do about it? Successful small businesses are adept at managing these risks: they maintain high professional standards and make sure to protect themselves as much as possible.
Here are a few steps you can take to protect your business:
- Stay up to date. When a security flaw like Heartbleed occurs, you may need to spring into action and update server software. (For our breakdown of Heartbleed, see "How You Should Deal with Heartbleed.") Stay current with IT news and cyber security issues and update any software that needs it.
- Teach your clients secure practices. Make sure clients know how to use their software securely. It's one of your professional responsibilities to make sure clients are using their devices properly. If you don't do so, you can be sued.
- Invest in Errors & Omissions Insurance. E&O Insurance (also called “Professional Liability Insurance”) pays for the cost of lawsuits over client data breaches, software flaws, and other issues with the software and hardware you recommend. This contractors insurance is vital for IT professionals because they are exposed to unavoidable risk when they use third-party software.
To learn more about mitigating your risk, browse our other business tip posts. You can also contact a TechInsurance agent to learn more about your insurance options.