Security researcher Brian Krebs reports on the Java 7 and Java 8 updates that Oracle pushed out last earlier this month to fix 37 bugs and some major security issues in the Java SE platform.
Among the issues addressed by the patch are at least four flaws that would allow hackers and malware to gain remote access to a user's device. Security flaws are graded on a scale from 1 to 10 by the NIST's Common Vulnerability Scoring System, and these flaws rank as a 10, the most dangerous.
We've profiled other Java vulnerabilities before (see: "Stale Coffee: Old Versions of Java Expose Programmers to Cyber Liability"), and for developers who follow the platform, these issues shouldn't be surprising.
If you or your clients use Java, make sure you install this Java Critical Patch Update immediately. Given the popularity of the platform, hackers are probably already building malware that will exploit these weaknesses.
IT Liabilities Are More Severe for Businesses
Software security issues tend to affect businesses (i.e., your clients) more than consumers because of a few inherent difficulties businesses have. They…
- Rely on old enterprise software. Because of the difficulty of upgrading their IT infrastructure, many businesses are slow to replace old software. In addition, it can be difficult to replace an old IT solution that a business has built its workflow around. Replacing old sales and accounting software takes more than just downloading a new program. It means finding ways to transfer data between programs and rerouting job functions for employees. Because of these hurdles, many businesses are more likely to be using five-year-old software that might have security flaws (or, for instance, might rely on an old version of Java with known security issues).
- Are exposed to third-party vendor risk. This is the risk your clients have from working with other companies and contractors who might have access to the client's network. The real story behind the Target data breach was that it was a security flaw with Target's HVAC contractors that led to the data breach. To learn more about contractor risk and IT liabilities, see "Help Your Clients Understand the Risks from Third-Party Contractors."
- Have more at stake. It's easy to underestimate the value of a company's data. In addition to customer and user data (like addresses and SSNs), there's IP, vendor payment information, the company’s own financial accounts, and other data that criminals could use to steal money or commit identity theft.
How IT Consultants Should Protect Their Businesses from Enterprise Software Risks
Consultant liability can be a million-dollar issue: one lawsuit over a Java security flaw or bad consulting decision can mean an IT professional is facing a million dollars’ worth of legal expenses.
However, as we saw above, working with enterprise software is fundamentally risky. Your clients probably tend to use old software, are slow to upgrade, and are exposed to more risk from working with numerous vendors.
Because of these inherent risks, IT companies need to protect their businesses from lawsuits by adopting secure practices, educating their clients about business risk, and investing in risk management solutions. Errors and Omissions Insurance can cover a million-dollar IT lawsuit, protecting you from client-side data breaches, identity theft lawsuits, software flaws, and other IT liabilities.
For a free insurance quote, contact TechInsurance today.