Going slow and steady may work out for you if you’re a tortoise competing against an overly confident hare. However, if you’re in the mobile device industry and have been lagging on sending out security updates, it’s time to pick up the pace. A new Federal Trade Commission report issued last month found that while the industry has taken steps to expedite the security update process, more can be done to streamline the process and make it easier for consumers to ensure their devices are secure.
As noted in the FTC’s report, “[s]ecurity researchers and government agencies have consistently maintained that the best way to secure consumer information is to take reasonable steps to design secure products and maintain their security with updates that patch vulnerabilities in device software. Despite this consensus, security researchers and industry observers have reported that many mobile devices’ operating systems (the software that powers the devices’ basic functions) are not receiving the security patches they need to protect them from critical vulnerabilities.”
While the FTC commended the mobile device industry for its efforts to expedite the security update process, it set forth the following five recommendations as ways to continue and improve such efforts:
- Educating Consumers: Government, industry, and advocacy groups should work together to educate consumers about their role in the operating system update process and the significance of security update support. The FTC notes that the more consumers understand the importance of updates, the more likely they are to install available updates and consider security updates when making decisions to purchase, use, and upgrade devices.
- Start with Security: Businesses should consider security as a foundational aspect of their practices and procedures. As such, manufacturers, carriers, and operating system developers should ensure that reasonable security update support is a shared priority, reflected in each company’s policies, practices, and contracts.
- Learning from the Past: Companies should evaluate current practices by studying past practices. This requires keeping more consistent records on security support topics such as update decisions, support length, update frequency, customized patch development time, carrier testing time, and uptake rate. The FTC notes that an analysis of this data may provide an empirical basis for improving mobile device security.
- Security-Only Updates: The industry should consider how best to package security updates to encourage consumers to accept them. This may require offering security-only updates that do not include general software updates, which some users may be hesitant to accept due to feature changes or potential impact on memory, battery life, bandwidth, or the operating system.
- Providing Consumers With Better Information About the Security Update Process: Device manufacturers should consider adopting and stating minimum guaranteed support periods for their devices and should clearly explain the date on which updates will end.
The report was primarily based on the FTC’s findings from information they requested in May 2016 from eight mobile device manufacturers about how they issue security updates. It also took into consideration information it received from wireless carriers about their security updates practices. The FTC noted that while the data provided by these companies was not sufficiently representative to permit definitive conclusions about industry practices as a whole, it did provide remarkable insight into the security update practice that affects a large proportion of the devices on the U.S. market.