We have written before about the importance of good vendor selection and vendor risk management processes or companies. The article below helps reinforce this. As research conducted by Finite State and ReFirm Labs shows, many low cost devices, including network equipment, mobile devices, and IoT devices, include flaws in their firmware (the low-level software that controls how the equipment operates) that can allow an attacker to take complete control over the equipment. When reported to the vendors, in some cases the vulnerabilities are allowed to persist, and in other cases they are simply moved to other parts of the firmware, suggesting that these are intentionally planted.
Some organizations may feel that their internal data is not worth a criminal’s time, and that the risks associated with the low-cost goods may be acceptable. However, it is important to recognize that most organizations have partner and customer data, such as business plans, buying habits, intellectual property, and the like. This information is often the criminals’ ultimate goal, not merely the data belonging to the organization itself.
As your company evaluates new equipment, it is important to understand that price alone should not be the determining factor. In some cases, low-cost goods can wind up costing you more by introducing vulnerabilities that ultimately lead to cybersecurity incidents and data breaches.