Data security: Why pre-emptive testing is more important than ever.
It’s fair to say this has been a tough couple of years for firms that handle sensitive, often personal data. Many companies had already struggled to ensure their existing procedures were robust enough – and if they weren’t, that they could at least be adapted – to meet the GDPR requirements in 2018. But under three years later Brexit has cast its shadow, and firms may need to adjust the way they handle data once again.
And during the pandemic, personal data and cyber security has arguably become even more important. Firstly, as we are stuck in our homes, we are signing up for more and more virtual online events. Classes, talks, plays, concerts, anything to give us a couple of hours of normality. Many of these online activities have been set up by new companies or using new infrastructure. And we give them our personal data when we sign up.
And how do we know they are secure? It has been reported that UK firms lost over £6m to cyber-crime in 2020, with a huge 31% increase in cases at the (first) height of the pandemic in May-June last year.
How can firms make sure that the increased volumes of personal data they are looking after is safe? The answer is in pre-emptive testing, and can even be a service which web developers offer when building websites and applications which will be handling data. Making sure that your work is written using secure code is the first step. If your code contains vulnerabilities, they can be exploited by hackers. If it doesn’t, hackers will look elsewhere. Sounds simple, right?
So how do I make sure my code is secure?
The Open Web Application Security Project (OWASP) has published a reference guide to secure coding practices. This includes areas such as authentication & password management and data protection.
Pen testing
As well as making sure you adopt secure code best practice for all websites and apps you create, there are other pre-emptive measures you can take.
One of the most effective, and one which developers could offer as a reassuring service to clients, is a pen test. This is where an ethical hacker is employed to test the site or application to see whether they are able to find any vulnerabilities. Effectively, the ethical hacker uses all the same techniques that an actual hacker would use, but the end result is a report of the system’s weaknesses (and strengths) rather than any damage being done to the site. The test should also lead to a mitigation strategy, allowing the developer to fix any weaknesses and guard against future attacks
IoT security
Another form of pre-emptive security is in the development of Internet of Things devices. We’ve all read the horror stories of some of the craziest hacks of IoT devices – a remote carjacking being perhaps the most terrifying. But the volume of these devices in regular use continues to grow rapidly. It’s vital, therefore, that security engineers receive adequate training in how to develop and design these devices to meet security best practice.
But why should the developer be responsible for testing this rather than the client?
One of the most common reasons that firms fall victim to cyber-crime is the ‘it’ll never happen to me’ attitude. Firms think they are too small to be noticed, too boring, or that their goals are too worthy to see them fall prey. The problem is, hackers don’t care. They don’t care whether you’re a tiny startup or an established multinational, whether you profit from people’s misfortune or try to save the world. All they care is whether you have left them an opportunity or not.
So many firms contact cyber security firms after they’ve been attacked, when if they had been proactive in protecting themselves the attack could have been avoided altogether. If a developer included the cost of a pre-emptive pen test, or any other early security measures, in their initial quote they would be able to make the case for its value, and many more secure sites would be built.
Of course, it’s worth pointing out before we finish that no site or application can ever be 100% secure. Cyber threats are constantly evolving, and no one can predict every future development. But the key is not to wait until it’s too late before considering its safety.
EEZZIE Cyber offer a range of options to help developers build secure websites, applications and devices. Contact us to find out how EEZZIE do the hard work for you