As we all know, probably to the point of exhaustion, is that the internet is a place filled with many threats that we all need to be aware of. Our federal government has recognized how hard it is for all of us to address all of these threats on our own by developing and publishing the 2023 National Cyber security Strategy of the United States Government, National-Cybersecurity-Strategy-2023.pdf (whitehouse.gov). UniVista strongly endorses this strategy. It’s filled with lots of good ideas, like making investments in cyber security research, training, and even making it easier to survive a cyber security incident through a federal Cyber Insurance backstop. The idea we’re particularly enthusiastic about is “Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services,” which aims to stop vendors and software providers from absolving themselves of responsibility should your network be compromised due to using their software or services. UniVista appreciates the clear focus the government is projecting onto those who provide insecure software or services, and we hope this focus will encourage all vendors and manufacturers to their products and services are secure for the sake of us all.
“Wait,” you might say, “UniVista is a service provider and your own liability could be increased by this directive! Why would you want to endorse something that puts you in the cross hairs?”
As your Technology Partner, we at UniVista treat your environment with the same care and accountability as our own internal network. We’ve focused on “Best Practices” for a long time, even rolling out our “Alignment Score” as the first item on our Monthly Health Reports as a reminder to keep such Best Practices at the forefront of all our discussions. Heck, many of our customers (and maybe even you, reading this) could recount a situation where we’ve held a new vendor’s feet to the fire, raised concerns about an insecure deployment, or even made you sign a single-purpose Security Addendum to your support agreement to underline how much of a risk was present in a decision that was about to be made. If you’ve ever been asked to sign that kind of Addendum with us, we promise it wasn’t because we were being obstinate or controlling. In every instance, there’s been a real and tangible risk to your business operations which we genuinely felt you needed to be aware of. It’s quite rare we go so far as to say “no, seriously, don’t do this,” but it’s a fact of reality that actions have consequences, and on computers, admin actions can have dire consequences.
Like the rest of you, UniVista has our own service providers and partners we rely on to do business and support you while keeping your costs affordable. We’re no better positioned to develop our own remote support tool than you are to assemble your own credit card reader. This means we all must use providers like Intel, Dell, Microsoft, Apple, or Google to create the systems and tools we use to conduct business. However, that doesn’t mean that we are powerless in our choice of partners and providers.
UniVista conducts business with clients who run the gamut of regulatory oversight and requirements, but we hold both ourselves and all our customers to the same standards, and we treat every environment like it is the most important environment in the world (because to you, it is). We go out of our way to ask auditors additional questions and seek recommendations outside the strict “letter of the law” in compliance frameworks. We challenge our vendors and seek independent verification of their claims, just like we do when you bring on your own vendors.
We can’t promise you that we or our own partners will never be compromised in the future, just like we can’t promise you that you won’t be either. But we can promise you that we have been pursuing – and will always pursue – every Best Practice we can to minimize all our risks! It only makes all our jobs easier to have the feds putting pressure on developers and service providers alongside us.
The very first line of the 2023 National Cyber security Guidance Objective 3.3 says “Markets impose inadequate costs on – and often reward – those entities that introduce vulnerable products or services into our digital ecosystem.” We get it. It’s often so much cheaper to go with one provider over another for your software or service needs, and technology is expensive. We’ve said for years that there are often “hidden costs” associated with going with the “cheap” or “easy” options for software and services, by way of cut corners and questionable commitments… so we simply cannot be anything other than thrilled that the government aims to hold everyone to the same standard to which we’ve already been holding ourselves. If this means that everyone takes security and Best Practices as seriously as we do, then we all win.
What’s the next step? We at UniVista will keep monitoring the process and keep you informed as our government develops this strategy into a series of directives and laws. In the interim, we’ll keep advocating for you to whoever can help, giving you the best advice we can, and doing our best job for you.
If you have any questions or would like to have a more in-depth conversation about our best practices, or anything at all, then please do not hesitate to reach out to us.