An Object Lesson in Response: Lenovo Breaks SSL Trust, Bungles Messaging

Mike Fratto
Mike Fratto

Summary Bullets

  • Don’t break security protocols for the sake of a few shekels. The loss of trust from customers far outweighs the benefits.
  • Don’t try to downplay the severity of your mistake. Doing so will only hinder efforts to regain customer trust.

There seems to be a neverending series of object lessons from overzealous IT vendors looking to increase their bottom line by exploiting the trust of their customers. This week, news broke causing shock and outrage that Lenovo had installed a broadly permissive CA certificate and secret key into the trusted certificate store of consumer laptops it sold, allowing it to vouch for anything. Lenovo also installed software on new consumer laptops that intercepted web connections and analyzed web images and then inserted targeted advertising into web pages to help. The intended purpose of Superfish, according to Mark Hopkins, program manager of Lenovo’s Social Media (Services) is to “[help] users find and discover products visually … [and] presents identical and similar product offers that may have lower prices,” said in one of its forums. Continue reading “An Object Lesson in Response: Lenovo Breaks SSL Trust, Bungles Messaging”

Cyber Insurance: Good Idea, So Why Isn’t It Taking Off in Europe?

John Marcus
John Marcus

Summary Bullets:

  • Cybersecurity insurance has been around for a few years, but take-up in Europe has been very limited so far.
  • Rather than just try to sell customers insurance policies, network and cloud providers should share the cost of mitigating risk from use of their services.

Businesses routinely take out insurance in order to protect against a myriad of risks. In many industries and professions, of course, it is even a regulatory requirement. The risks from fraud and other cybercrime have not gone uncounted by insurance underwriters and brokers, leading to a spate of new product development over the last couple of years. In the U.S., the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) took a proactive role in bringing together a diverse group of stakeholders ranging from insurance carriers, risk managers, and IT/cyber experts to critical infrastructure owners and even social scientists, to encourage cybersecurity insurance adoption and improve cyber risk management. In Europe, the European Network and Information Security Agency (ENISA) studied incentives and barriers for the cyber insurance market and made a number of recommendations. Both of these efforts began back in 2012, so what is the state of play now? Continue reading “Cyber Insurance: Good Idea, So Why Isn’t It Taking Off in Europe?”