Vet Technologies Before Adding Them to Your Network

The Bottom Line

There are so many technology products and services to choose from. You can easily introduce cyber risk into your digital ecosystem if you select a product or service that doesn’t adequately protect your privacy and security. The questions in the Solution section will help you evaluate products with a critical eye before you adopt them.

The Problem

Not all technology products and services are developed with your privacy and security in mind.

Make a mental list of all the technology products and services you own or subscribe to. Do you use a cloud-based service to back up your data and collaborate on shared files? What about an app to record your workouts? Do you have a voice-activated speaker that responds to your commands? What about a doorbell, home security system, thermostat, or dishwasher that you can control through a mobile app?

In addition to the apps or services that you own, physical devices like voice-activated speakers have sensors and software that allow them to connect to the internet and gather or share data. These devices are part of the Internet of Things (IoT), and just like the apps or services that you use on your computer or mobile device, they also carry cybersecurity and privacy risks.

If you do not properly vet products before you introduce them into your digital ecosystem, you could put yourself at undue risk of a cyber intrusion. Improperly vetted products may lack security by design and have unaddressed vulnerabilities. These products may even have been developed in bad faith, exploiting the system or network of the person who installs it, either intentionally or due to poor privacy standards.

The Solution

Don’t download an app or purchase a product or service without evaluating it!

Here are some questions to help you to determine whether a product meets your criteria for privacy and security. While some questions may be easier to answer than others, the more often you conduct this type of research, the more proficient you will become.

1. What is the added value of the product? Every time you add a new product to your digital ecosystem, you expand your attack surface and increase the likelihood that a threat actor will find and exploit a vulnerability in your network. Therefore, you should only add products that provide genuine utility.
2. Who is the manufacturer, developer, or vendor of the product? Are they committed to your privacy and security? Do they have a history of reported cybersecurity vulnerabilities in their products and do those vulnerabilities get addressed? Has the provider had cybersecurity breaches in the past? If so, how did they handle it? (Pro tip: A good starting point is to surf the web for news stories and other articles from reputable sources that indicate a particular vendor may be unreliable.) 
   • Case study: In January 2023, the U.S. Federal Trade Commission (FTC) finalized its order with an education technology company for poor data security practices that resulted in four data breaches exposing the personal information of 40 million users. Several news articles reported on these data breaches. When users vet products and applications, news articles like these can be a great way to determine whether a vendor has a history of multiple data breaches and if they have taken meaningful steps to improve their security practices in the aftermath of a breach.
3. Where is the company located? The vendor will be subject to the laws and government authorities of the country or state in which they are owned and operated.
4. What is the product’s security profile? Who besides you and your organization will have access to your data? Is it shared with third parties? Does the product use secure encryption? (Pro tip: While it may be hard to find all of this information, a good place to start is to skim the vendor’s user agreement and privacy policy.)
   • Does your product use secure encryption?
     • Products may give you an option for what encryption algorithm to use. While there may be multiple options, we recommend the one that the National Security Agency has authorized for use to protect U.S. Government systems and data. The Advanced Encryption Standard (AES) comes in three different forms: AES-128, AES-192, and AES-256. Although AES-256 is considered the most secure, all three forms are still highly secure.
5. Does the product (and vendor) have an acceptable privacy policy? Does the provider make sufficient commitments in their privacy policy or other legal documents to guard your privacy and security?
6. Are you able to adjust the security settings on your device or app to meet your cybersecurity needs? For example, can you deny access to categories of data that the product does not require to function?
   • Case study: In 2023, the U.S. Federal Trade Commission charged a home security camera company with violating user privacy by failing to implement basic privacy and security protections, which could allow threat actors to remotely control the company’s doorbell products to access live footage and activate the speakers to confuse or intimidate residents, including children and the elderly.
   • While CISA is encouraging manufacturers to develop technologies that are secure by design, the unfortunate reality is that the burden frequently falls on the user to enable important security features. Before adding a product to your digital ecosystem, you should ensure that you have the ability to enable features such as multifactor authentication (MFA) and change default passwords.
7. Does the developer issue regular software updates for security? Some developers may not offer product updates sufficient to address evolving cybersecurity threats. This is especially true of products that are older or out of production and no longer supported for security updates.
   • Case study: In 2020, Adobe announced that it would stop supporting security updates for Adobe Flash Player and advised users: “Uninstalling Flash Player will help secure your system since Adobe will not issue Flash Player updates or security patches after the EOL [End of Life]. Adobe blocked Flash content from running in Flash Player beginning January 12, 2021, and the major browser vendors have disabled and will continue to disable Flash Player from running after the EOL date.” Just as Adobe recommended uninstalling Flash Player because threat actors could find and exploit vulnerabilities that would not be patched, users can protect themselves by ensuring that any product or application they intend to incorporate into their digital ecosystem will receive regular security updates.

This list is not exhaustive, but it is a good starting point for helping you to think critically about potential products and services before you adopt them.

Takeaways

Do

• Research the manufacturer, developer, or vendor’s track record on privacy and security for products you consider adopting.
• Check where the company of the product is owned and operated.
• Check the product’s security profile to confirm that your data is encrypted and not shared with third parties.
• Confirm that the vendor has an acceptable privacy policy.
• Confirm that you can adjust the product’s settings to meet your cybersecurity needs.
• Confirm that the developer issues regular security updates for your product.

Do Not

• Add products or services to your network that provide limited value.

Project Upskill is a product of the Joint Cyber Defense Collaborative. 

• Module 1: Basic Cybersecurity for Personal Computers and Mobile Devices
  • Topic 1.0: Implement User Account Control to Protect Your Personal Computer
  • Topic 1.1: Keep Your Device’s Operating System and Applications Up to Date
  • Topic 1.2: Ensure Your OS Antivirus and Anti-Malware Protections are Active
  • Topic 1.3: Manage Application Permissions for Privacy and Security