A sensible approach to security

Any business can suffer a data security breach. The key to managing security is taking a sensible, balanced approach based on careful evaluation of risk, detailed planning and robust processes.

According to the UK government, almost nine out of ten large firms and 74% of small businesses reported at least one security breach in 2015. So every business that deals with sensitive information has to manage its security.

1. Not just tech

One of the biggest misconceptions about security is that it’s a technology problem for technology people to deal with. Many companies think that their technology provider, or their in-house IT department, will take care of it, so they don’t have to worry about it.

In fact, no matter how watertight your contracts with technology providers are, the risks associated with data security cannot be outsourced. After all, security also depends on what happens with the data in your own organization. In addition, it’s your business that will ultimately have to deal with the commercial, financial and reputational fallout of a serious data breach.

2. Security is about people

Security is just as much a human problem as a computer problem. As the UK government report cited above makes clear, people are just as likely to cause a security breach as hackers, malware or viruses. That’s why security is an issue for the managers of the business, not just its technical staff.

Effective security management means dealing with the grey area where humans and technology meet. For example, let’s say your development team is setting up a function where users can create their own passwords. If they follow security best practice, they might require passwords to be complex, unique and of a stipulated minimum length.

But what if a user stores or transmits their password in a non-secure way – for example, by posting it to a public Github repository, sending it in a plain-text email or writing it on a Post-It stuck to their monitor? In that case, it doesn’t matter how strong the password is – the security of the entire system has been compromised. And the development team probably won’t know anything about it. The system has been left wide open to attack because not enough time was spent thinking about the human aspects of security.

3. What are the risks?

There are a number of scenarios where your data can fall into the wrong hands. Let’s look at the main types.

An unprincipled employee could take your data and use it to start their own business – effectively, stealing your client base. Or a disgruntled team member could disclose your users’ or customers’ data for malicious purposes, purely to embarrass you (the practice known as ‘doxing’). This could include personal data such as addresses and birth dates, or even passwords.

Alternatively, a hacker or an employee might try to decrypt users’ passwords from your database. Then, knowing that people often re-use passwords across multiple sites and services, they might use that information to hack your users’ emails, access their online banking or turn their computers into ‘spambots’. And even if they don’t want to do these things, they might still sell the data to someone who does.

Corporate blackmail is another threat. Having hacked into the database, the criminal encrypts the data and holds it to ransom, demanding payment to undo the encryption and restore the data to its rightful owners. Needless to say, if you pay up, the demands simply escalate, and the data is probably never decrypted at all.

4. Data without frontiers

Because so many firms outsource technical functions, the group of people involved in security frequently overlaps company boundaries. So when we talk about ‘employees’, we mean any employee who might have access to important data – whether in your firm, or any of your suppliers.

It follows that your security isn’t always under your direct control. Instead, it’s an issue that can be shared by many people across multiple organisations, potentially all over the world. That makes careful management and planning even more important, and it means that everyone needs to understand exactly what they’re doing, and the implications of their actions.

5. The cost of security

Perfect security is impossible, and infinite security has infinite cost. So managing security means striking the optimum balance between risks, costs and impacts.

Risk can never be avoided completely, so you need to decide how to deal with each security risk you face. If you decide to take action to prevent a risk, you need to assess the costs of your actions, and the potential knock-on effects for your business.

For example, improving security often affects user experience, by making services more time-consuming to use, or impairs software performance, usually by making things run more slowly.

At other times, tightening up security makes it harder for people in your business to complete their daily tasks. For example, software developers need access to your data in order to work. It’s a bit like taking your car in for repairs: you have to leave the keys with the mechanic, and trust that they won’t just drive your car away.

Sometimes, there are ways to anonymise real data, so it’s in the right format but not connected to any real person. Or you could use fake data – but then you’d have to create a complete ‘shadow’ database, otherwise your tests won’t reflect the real-world workload your software will have to deal with, and the level of performance you can expect.

There are also ways to encrypt data in such a way that even developers can’t see it. That’s what healthcare and financial firms do, where the information is regarded as so sensitive that any risk of disclosure is too high. However, these approaches make development cumbersome, adding to the time and cost of software development and maintenance across the board, and on an ongoing basis.

Finally, legislation plays a part too: there may be some steps that are mandatory under the law of your country, so you have to take them regardless of their cost or impact.

Whatever you decide in terms of preventing, mitigating or accepting a risk, must make sure you can recover from a data breach if one does occur. As attacks become more likely, so a good recovery plan becomes even more crucial.

6. Our approach to managing risk

We run an internal risk management system modeled on ISO-27001.

Our approach is to work with you to create a threat model: a shared document that records key people’s views on the main threats to the application and its data.

Some of these risks will be generic security risks that are involved with any application, and some will be specific risks that arise from the way your individual business, and the people within it, will actually use our software.

Our threat model is based on the recommendations of the Open Web Application Security Project. For each risk, the threat model sets out:

  • The probability of the risk occurring. Probabilities based on real-world data are ideal, but an estimate is better than nothing – even if when it’s not that accurate, the exercise of thinking about the probability is often valuable. Probability depends on how easy it is to discover, exploit and reproduce a vulnerability.
  • The impact if the risk were to occur, including:
    • how many components would be affected by the risk
    • how many users could be affected
    • the financial costs and reputational damage of data being breached, stolen or disclosed
    • practical implications and financial costs of recovery.
  • How we’ll mitigate the risk (prevent it from occurring, make it less likely to occur or reduce its impact), including:
    • training and awareness
    • encrypting data and protecting passwords
    • backing up data to a secure, remote location that only administrators can access
    • policies on working from home, remote access and so on
    • technological approaches such as firewalls, blocking certain IP addresses and so on
    • physical security at data centres and other premises
    • thoughtful, proactive HR practices
  • How we’ll detect the risk, including:
    • defining suspicious, or potentially suspicious behaviour (multiple logins, logins from unexpected IP addresses)
    • deploying software to detect suspicious behaviour
  • What we’ll do to recover from the risk if it happens, including:
    • what to do, and who to notify, in the event of a breach
    • how passwords and access privileges will be reset
    • data recovery procedures
    • business continuity plans.

Usually, we find that certain risks stand out as being either likely to happen, or very damaging if they do. Those are the risks that we need to take specific action to mitigate. The others will simply have to be covered by general best practices, some of which are outlined below.

Just thinking and talking about these issues can be highly productive, often uncovering issues that have never been considered before.

7. Things we can do

There are some things we can do to improve security without even consulting you. Many are industry best practices that any good development team should be doing, on any project.

For example, it’s always good practice for ‘power users’ to use two-stage authentication, so they have to provide both a password and a one-time passcode generated by a device. We keep our hardware physically secure, and our software up to date. We stay informed about new security threats by following industry blogs and security advisory sites, and have training and awareness programs for our employees and consultants.

Routine is our friend. We have detailed workflows that set out everything we need to check, verify or discuss on a regular basis, from the very practical and mundane through to highly technical points.

We also take care of our desktop security – that is, the hardware and software we use to work on your application. We make sure we use specific hardware for work purposes only (that is, not for entertainment or browsing). We check security setting frequently, install security updates as soon as they’re available. We also prohibit employees from using their machines for personal email, to reduce the risk of them clicking on a link that’s part of a phishing attack.

On the human side, we take care to get to know people before they join us, so we only appoint those with high standards of professionalism and responsibility. And we have an off-barding protocol that kicks in whenever someone leaves our team.

8. Things you can do

As security affects everyone in your business, security awareness training is always a good idea. This will ensure your staff understand the risks around security, and appreciate that they themselves have a part to play in safeguarding it.

You can use a password manager to generate, share and store passwords for all the services your team members use. While there have been cases of password managers being hacked, in our view they remain the best way to manage passwords – and far better than human ‘workarounds’ such as recording passwords in insecure venues, reusing the same password over and over again or using passwords that would be easy for hackers to guess.

9. Revisiting risk

The threat model isn’t a document that is created and kept on the shelf. We need to have regular conversations with you and your IT team to make sure the model stays up to date. New threats can emerge, and they need to be added in. Or if we’ve added a new feature to your software, it might raise a new threat that needs to be considered.

Sometimes, the time we’ve set aside for maintenance tasks becomes too little, so we need to report to you on what we’ve been able to do, and agree what we should focus on in future.

We need to reappraise how sensitive your data is, and whether the right people still have access to it, on a regular basis. Maybe someone’s left, and their access needs to be revoked. These are things that only you can do – but we can help you remember.

Training also plays a key role in maintaining security awareness. When new people join your company, they need to be inducted into your processes for managing security risks. In fact, existing staff can benefit from training too, because people do tend to slip back into old habits.

The E-Accent risk management package

If you choose us for your enterprise web application, we’ll offer you a risk-management package comprising the following elements:

  • A threat model included as standard as part of the requirements definition for your application. In other words, security is built into the specification for your software from the very beginning, helping us make the right development decisions later on. Just as we consider how your users’ experience can be made easier and smoother, so we’ll also consider how hackers’ experience can be made more difficult.
  • Regular security meetings with your management and IT teams, at which we’ll review the threat model and revise it as necessary.
  • Maintenance checklists, based on our established lists of best practices and tailored to your project. We have four checklists, with tasks for us to carry out daily, weekly, monthly and quarterly, and we send you a report after we complete each one. Every so often, we’ll consult you to determine whether tasks need to be added, or can be dropped, and agree how much time we should spend on maintenance. We offer advice throughout this process.
  • A recovery plan detailing how we’ll get your application up and running again following a data breach, including who to notify, resetting passwords, restoring backups and so on.

Back to top