Security testing is the process of looking for vulnerabilities and risks in software systems and applications. It’s a lot like life insurance; important enough that its value is largely recognized, but an added expense that we hope to never use. However, if we do ever need it, we regret not having it.
Evaluating the risks associated with vulnerabilities in software security is complicated. First, the likelihood that an event may occur, as well as its potential impacts, has to be understood. Then, the effort required to mitigate a risk, the associated costs to prevent it, and the benefits that the implemented controls provide have to be measured. Finally, all of these things have to be balanced to determine how much to budget to avoid or mitigate the risk.
In cyber security, risks include everything from the exposure of sensitive data and loss of public trust to the complete shutdown of operations. Companies should also consider other factors such as long- and short-term business strategies, industry and company standards and best practices, local and national regulations, and customer demands and expectations.
Cyber Attackers Are Black-Hat Entrepreneurs
From an IT perspective, 2019 was a banner year in ways both good and bad. Great strides were made in fields such as artificial intelligence, predictive modeling, and quantum computing. Unfortunately, 2019 also revealed how vulnerable we all are to cyber threats. Every industry in every country has been affected. Just a few of the ledes you may have read include:
- To get 5.25 million passport numbers, hackers didn’t have to attack the Canadian government – they only had to target Marriot.
- Capital One was kind enough to foot the data-monitoring and identity-protection bill for an unspecified number of people when a single attacker stole the credit scores and balances, and possibly social insurance numbers, of 6 million Canadians and 100 million Americans.
- The Canadian laboratory testing company LifeLabs – the largest provider of its kind in Canada – paid an undisclosed amount of money in ransom to hopefully secure the sensitive health information of as many as 85,000 customers, and the log-in information (including passwords) of more than 15 million.
- And 2019 saw an increase both in the number and in the sophistication of data theft, ransomware attacks, and – worse – their combination.
What these cyber incidents show is that even the most unexpected companies are at risk of systems security breaches. These breaches do more than affect the integrity of those systems and the information they contain. They impact the integrity of the very company itself.
A risk assessment for a cyber incident has to include any money that might be paid to ransomers, the loss of current and future customers due to their loss of trust, and the time and money the company will spend fixing the problem itself and the consequences to the company’s image.
The reason all companies are vulnerable is that cyber attackers are not 9-to-5 employees who leave work at the office. They are passionate and persistent experts in the field of information technology. They go after work-related problems in the same way as the most motivated entrepreneurs. If they think they can profit from your data – and with the advent of ransomware, all data is valuable – they are unrelenting.
A Global Economy Means a World of Options
If, instead of IT, our business was manufacturing, then safety checks would be automatic. Our employees would inspect their equipment daily. Our equipment would undergo routine maintenance that municipalities would regulate. And before we introduced a new line or piece of equipment, we would first run a safety study. In other words, in manufacturing, safety is a known cost of doing business.
The history of workplace safety goes back a long way. Suffice it to say that safety wasn’t focused on until the costs of ignoring it outgrew the costs of keeping employees safe.
In IT, no one is going to lose a limb, much less their life, if a company gets hacked. As we’ve discussed, however, there are known costs to insufficient security systems. The only question is at what point the costs of adding routine security checks to your business model outweigh the costs of succumbing to an attack.
In a global economy, the risks of a security breach are greater than ever. Because customers now have – literally – a world of options, security testing is no longer a luxury. Protecting our customers’ financial and personal data is best practice, and protecting our company’s brand, reputation, and proprietary data is a necessity.
Security testing goes by many different names, including ethical hacking, penetration tests, and red teaming. While there are some technical differences between them, they have similar objectives – to protect a company’s systems by testing the maturity of its IT security and identifying potential vulnerabilities in their environment.
The best practice is to have a third party perform security testing. An independent and unbiased source will make no assumptions or compromises about the quality of your security. Moreover, an experienced IT company knows:
- the latest and most effective ways of assessing cybersecurity performance,
- the likeliest vulnerabilities according to your business and technological environment, and
- how to implement the methodology to strengthen your organization’s security.
Finally, a company focused on security will have kept pace with the most recent threats, and will have adapted its methodology accordingly.
The Best Defense Is a Holistic Approach
The best defense against cyber threats is a holistic approach toward software security. Cyber security isn’t something done only at a business’s start up, or maintained at periodic intervals. Like safety in manufacturing, cyber security is a continuous effort. The coverage level and complexity of the testing needs to evolve with the software you are building.
While it’s important to remember that hackers can be persistent and sophisticated, it’s also important not to overlook the simpler things. Even non-sophisticated attacks can harm your system, your data, and your organization. It only takes one employee with a data stick to damage your entire company.
Remember, regardless of your industry, anyone can be a target of a cyber attack. If you have data that’s important to you or your customers, you could be next. Working with the right partner is a critical component of your company’s security; that partner will impact every aspect of your IT business, including your processes, infrastructure, coding, and deployment methodologies. All of these aspects ultimately define the robustness and quality of your security, and the confidence of its users and customers.
If you’re concerned about your software security and want to discuss options, we are here for you.
Contact us at firstname.lastname@example.org.