Taking concrete steps against cyberattacks

By Carl Windsor, Chief Information Security Officer (CISO) at Fortinet 

From organizations to individuals, the threat of cyberattacks is changing how we interact with the digital world. Ensuring intellectual property and data are protected and that systems and services are secure is critical, especially as the frequency, severity and cost of cyberattacks spiral. 

According to IBM research in 2023, a cyberattack can come with a hefty price tag for Canadian organizations — around $6.94 million. These increasing costs and the escalating sophistication and frequency of attacks require organizations to prioritize cybersecurity as a business-critical investment. 

Fortinet has been at the forefront of the cybersecurity fight, continually investing in security research and development, drawing on the experts at our Burnaby campus. Their research and insights into global cybersecurity trends ensure Fortinet can be a force for change, advocating for cybersecurity best practices in Canada and around the world. 

Unfortunately, best practices tend to be suggestions and not requirements. That's why Fortinet has committed to ethical product development and vulnerability disclosure. 

Building on best practices 

Ethical product development calls on software developers to build products with security in mind right from the start. It also encourages companies to embrace responsible radical transparency and adhere to leading industry standards.  

However, cross-sector cooperation is required to ensure that best practices become industry standards. Cybersecurity providers, software vendors, and government agencies all have a role to play in developing and supporting the policies that will hold software development to new and rigorous standards. 

Security by design 

Industry leaders have already taken the first steps toward establishing these guidelines. Fortinet was an early signatory of the Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design Pledge. 

Fortinet also collaborated with CISA to help draft the pledge, working with other international agencies and industry leaders. The goal was to develop a security mindset in all software development, bringing developers, technology companies, and cybersecurity professionals to the table. The resulting pledge commits signatories like Fortinet to use data to improve software product security and promptly disclose vulnerabilities. 

The pledge lays out seven actionable and measurable ways signatories can deliver more secure software products, including multifactor authentication out of the box, getting rid of default passwords, and working to increase patch installations by customers.

As a company dedicated to the intersection between networking and security, Fortinet has always prioritized Secure by Design principles in its product development cycle. Our FortiGuard Labs team is actively hunting down new vulnerabilities and threats. Since 2005, we've reported over a thousand zero-day threats in third-party hardware and software, and actively share that information publicly. 

Fortinet also invests in internal testing and analysis to uncover and report vulnerabilities in our products. This approach means that about 80 per cent of Fortinet product vulnerabilities in 2023 were detected internally. We also continue to work with our customers, third-party vendors, and external threat consultants and researchers to quickly identify vulnerabilities before an exploit can be initiated. 

As always, communication is key

Another focus area for Fortinet is ensuring that when a vulnerability is detected, we are proactive and timely in our communications. Through our Product Security Incident Response Team (PSIRT), we investigate and report information about security vulnerabilities and issues that might impact Fortinet products and services. Communications include direct customer contact as well as monthly PSIRT advisories that cover recommended workarounds, mitigations, or next steps. We also use Common Weakness Enumeration (CWE) to help identify vulnerabilities and share findings via the Common Vulnerabilities and Exposures (CVE) to catalogue specific incidents. 

Aligning to and leading industry best practice

In every aspect of our product development life cycle, Fortinet follows the industry’s best practices. Our Secure Product Development Lifecycle Policy (SPDLC) ensures that each product is built with security top of mind – from inception to its end of life. We also align with secure product development best practices, such as 800-218, EO 14028, NIST SP 800-53, 800-161, and the U.K. Telecom Security Act. 

While we're proud of our commitment to Secure by Design principles, it's clear that we need more software and hardware to get on board to stem the tide of cyberattacks. Fortinet continues to play an important role in advancing industry-wide security improvements by collaborating with industry and policymakers to develop and implement more robust standards. 

We see the Secure by Design Pledge as a vehicle for accelerating the development of industry-wide best practices, helping lift the boat for the entire sector. Through the pledge and Fortinet's internal strategies, we demonstrate our responsible radical transparency and model a code of ethics for vulnerability disclosure. We invite our industry peers to do the same and help contribute to a more resilient digital ecosystem. 

Don’t miss a story in your local tech ecosystem. Subscribe or become a member now.