Software pledge offers consumers greater protection from scams.

As scams, incursions, and data leaks continue to proliferate, cybercrime prevention is becoming an increasingly urgent global problem, and a new Secure by Design pledge is asking software manufacturers to do more to help consumers stay safe.  

Right now, the largest share of responsibility for avoiding scams falls to the end user. It’s up to us to block scam attempts, manage our passwords, and switch on two-factor authentication. All these efforts could be made easier and more automatic with better software design, building security measures in from the outset, according to one industry expert.

“When I hop into a car, I know there are certain things I have to do: put on my seatbelt and drive at the right speed, for instance,” says Nicole Quinn, head of government relations APAC, Fortinet, a signatory to the new pledge. “But I know the seatbelt will work; I know the airbags are there. Those things are built into the vehicle to make me safe. It should be the same when I go online.”

AI accelerating cybercrime 

Cybercriminals have been quick to adopt artificial intelligence (AI) to help scam more people, more quickly. By the second half of 2023, adversaries were exploiting new vulnerabilities 43 per cent faster than in the first half of the year, according to Fortinet. Ransomware is also on the rise, and Internet of Things (IoT) devices are a popular target for deploying malware. 

We’re living in a rapidly changing environment where scammers are evolving their techniques to extract the maximum amount of money from unsuspecting consumers, says Quinn. “Scammers can get AI to target 1,000 phones at once, instead of having to process them manually. They can also deep fake voices based on only small amounts of audio, like a webinar. It’s a lot of work for the end user to keep up: is this text message really from my bank?” 

Even cybersecurity companies are working harder than ever to stay on top of threats, Quinn adds, which is why some in the industry want to see stronger software design to protect against incursions. 

Secure by design 

The Secure by Design pledge has been developed by CISA, the US Government’s Cybersecurity and Infrastructure Agency. Fortinet is one of over 100 signatories, a list that includes the world’s top-tier software companies. The voluntary pledge has seven goals:

  1. Improved multi-factor authentication. 
  2. Reduced use of default passwords. 
  3. Lower prevalence of vulnerability classes. 
  4. Increased security patch installation by customers.
  5. A published vulnerability disclosure policy.
  6. Transparency in vulnerability reporting.
  7. Increased ability for customers to gather evidence of intrusions.

Although the idea of secure by design has been around for a decade, the pledge was only launched in May 2024. This year, New Zealand’s own Computer Emergency Response Team (CERT) was part of an international effort to publish guidelines that now sit alongside the pledge, urging manufacturers to make all their products more secure. 

Protecting connected devices 

By implementing the seven changes, software is made to make it easier for consumers to avoid the everyday mistakes that can lead to being scammed. 

“It’s not saying that the individual doesn’t have to do the right thing: you still must follow the ‘rules of the road’ when it comes to having strong passwords and avoiding scam links and so on,” Quinn explains. “Secure by design and the pledge is saying, ‘Okay security experts, build the software so it’s safer automatically’. Security should be central to the design from the start, not an afterthought.” 

For example, when you buy an internet-connected device like a smart TV or fridge, it will often come with a preset password of 0000. You should change this immediately, but many products let users continue without creating a new password. These default product-wide passwords “continue to enable damaging cyberattacks,” according to the pledge. 

The pledge would also see multi-factor authentication (MFA) become the default login option: having to verify yourself with a second method (like a text) significantly reducing credential stuffing and password thefts, says CISA. In general, the pledge asks manufacturers to bake in tougher security measures. 

“A lot of products have their security settings preset to the lowest levels,” says Quinn. “You then have to go in and set them higher, but it should be the other way around. Security settings should be set at the highest level and you should need to make a conscious decision to lower them.” 

Shifting responsibility 

Half of the new firewalls sold worldwide are made by Fortinet, and each one has security designed in – “out of the box security”, as Quinn puts it. There are no default passwords, but it is still up to the customer to ensure they update with the latest security patches. Fortinet plans to keep improving its performance against the pledge goals, to help shift responsibility away from everyday users. 

“This pledge is part of a worldwide security strategy that moves the onus from the citizen to the people who are the best informed,” she says. “The industry should be doing what it can to tackle this growing global problem.”

For more information: fortinet.com/resources/analyst-reports