If you buy products with integrated software, sometimes you are already buying the problem. Insecure components in products can later turn out to be a problem for many companies. While security programmes are usually installed on computers and IT departments take care of security with firewalls and other measures, the risks posed by software and devices are usually not taken into account when purchasing.
In order to help with purchasing, St. Pölten University of Applied Sciences has now started the platform "www.it-sicher.kaufen". It provides security checklists to suit individual requirements free of charge and independent of manufacturers.
Price, function, design and security
IT security by no means only concerns products such as computers and software. Also in the case of objects, where it is not so apparent at first glance, IT security plays a role through the built-in components of hardware and software: such as cameras, robot vacuum cleaners, autos or televisions. Moreover, in the age of the "Internet of Things" (IoT) more and more of the devices used in daily life and in companies are connected to the Internet.
"Price, function and design often play the most important role when purchasing products. Hardly anyone looks at IT security. However, security concerns already begin with purchasing", said Ernst Piller, Head of the project and the Institute for IT Security Research at St. Pölten UAS. According to Piller, IT security is only observed to a greater extent where it is required by law, for example, in the health care sector when handling sensitive and medical data.
In order that purchasers can better take into account IT security, St. Pölten UAS in the project "ITsec.at": together with SEC Consult Unternehmensberatung GmbH, the Federal Chancellery, the Federal Ministry of the Interior, the Federal Ministry of Defence and Sports and the Municipal Authorities of the City of Vienna, have developed the platform "it-sicher.kaufen". It is intended to make the purchasing and procurement of devices safer.
Checklists and information on incidents
On the platform, purchasers and procurement officers can choose which parameters are important for their products, for example, aspects of authentication, logging, or encryption. "After selection a checklist is received, which can be used in contact with suppliers or for tenders", explained Piller. For each point there is also an explanatory text with further information.
As a basis, a questionnaire can also be used, which generally and comprehensibly asks what is relevant for the IT security of the respective users: for example, how confidential the data used is, how much customers could be harmed by unauthorized alteration and deletion or how large the circle of people with access to data is.
In addition, the platform searches for known incidents in other databases and clearly collates the information. "Anyone can do research in the Internet, but such a complete overview has not yet existed", said Piller.
Free of charge, free of advertising and independent
The new platform is free of charge, free of advertising and independent of manufacturers of the products. The platform is operated by St. Pölten UAS. Companies can also enter information on the IT security of their products as well as themselves. According to Piller, the companies are however liable for damages due to false information. Thereby, companies are encouraged to evaluate their products honestly.
"Up to now, there has been little information about IT security for purchasing. But a product is not more secure in operation", said Piller. However, purchasing is not everything; the protection of IT security, for example, through firewalls and other measures should not be dispensed with in operation.
The platform is part of and the result of the research project ITsec.at, which dealt with the dangers of cyberspace attacks for Austrian information and communication technology and researched strategies, recommendations for action and safety tests. Partners in the project were: SEC Consult Unternehmensberatung GmbH, the Federal Chancellery, the Federal Ministry of the Interior, the Federal Ministry of Defence and Sports, and the Municipal Authorities of the City of Vienna (MA14, Information and Telecommunication Systems). The project was funded by the Federal Ministry of Transport, Innovation and Technology in the framework of the FFG programme line KIRAS (security research).