Improving Security in Software Outsourcing
21 December 202121 January 2021 | Software
Table of Contents
- Main Security Related Challenges in Switching to Remote
- Common Entry Points for Hackers
- Addressing the Threats
The COVID pandemic is a staggering event, with long lasting economic impacts. It put much of the world in lockdown and many industries in standstill. To cope with this situation, employers adopted the remote working paradigm. In doing so, they had to address security issues and other challenges. The article explores the hurdles we have been facing in the process and our solutions.
The 300% increase in cybercrime during the pandemic is one of our main concerns. To prevent cyber-attacks, we focused on keeping our employees and data secure. Furthermore, we aimed at meeting all our legal and regulatory commitments. Being a provider of software outsourcing services helped us in the process. At the onset of the pandemic Fortech already had many of the systems required for remote working. This was true especially for customer-facing systems. Expanding them to all our personnel and activities within a few days was no easy feat. Moving everyone to home offices required ingenuity, resilience, and utmost agility.
We had a decision committee carry out a plan for the fast and smooth transition. This included frequent communication with the Fortech personnel and adopting new cloud tools. While these first steps challenged us, they were only the icing on the cake. Hackers keep getting better at exploiting the coronavirus theme in their attacks. To prevent serious damage, our IT department must follow suit.
“To adjust our business to the remote model we had to do security and data protection differently. Before the switch, the ‘security defender’ fought the ‘attacker’ in a familiar environment. A high level of protection and mature security processes helped the defender. Now, the battle takes place in the home office, which is unsafe and quite unknown. The shift multiplied the previous targets with the number of employees.” – Florian Rada, IT Manager, Fortech.
Experienced hackers can exploit these connections. To reduce the risks device owners must secure their devices.
“95% of breached records came from only three industries in 2016. Government, retail, and technology. […] They’re just very popular targets because of the high level of personal identifying information.” Source: Cybint
The challenges and risks we faced in moving everyone to home office are thus obvious. Of these, we will mention the ones related to security.
Individual staff members reported slower VPN and Internet connections. To fix the first issue, the IT team expanded the infrastructure. For the second, they offered advice on how to use the available capacity effectively. Running client projects on custom infrastructures and networks added to the pressure. Together with our clients, the IT people addressed this problem. Creative thinking and swift decisions helped in the process. So did training some of our clients on cyber threats and risk prevention.
A considerable number of our clients operate in regulated industries. They include financial services, healthcare, and automotive, among others. These industries are also among the most targeted by hackers. HIPAA Journal reported “9,710,520 healthcare records accessed” illegally in September 2020.
To meet strict industry standards, we applied tight security measures. Furthermore, we kept adapting and predicting, being creative and proactive.
Our efforts, ingenuity, and customer-centric approach paid off in all the cases. We completed the full switch to remote smoothly and within the agreed deadlines.
To this point, we experienced no major troubles with the remote working setups. Communication within our remote teams suffered no serious setbacks in the process.
Keeping our business safe, as well as those of our clients is Fortech’s top priority.
“The majority of the cyber-attacks, (93%, looking at even last year in the United States), have occurred because of preventable human error.” Source: Information Age
Such errors come in three main forms. First, developers may unwittingly include malicious code in the application. Second, they can make normal human errors or fail to follow best practices. Last, anyone in the company may open a message that seems to come from someone trustworthy.
Hackers can easily create malicious code or impersonate someone you trust. They intensely study the routines in the businesses they target to find ways in. Getting a message to change your Office 365 password is a typical way of stealing passwords. A fake message can be very difficult to distinguish from the real one.
High quality coding can close some entry points for hackers. For a software company, enforcing this practice is critical in normal times. Increasingly complex software applications and development environments challenge engineers. Furthermore, tight deadlines make avoidance of coding errors more difficult than ever.
Moving our entire workforce to home offices spread throughout Romania created new vulnerabilities. So did decentralizing operations to ensure business continuity. This is a complex process that normally takes far more than a few days. Fortunately, our critical business applications were set for home use before the pandemic.
Despite our head start and experience with remote working, we still face a fair share of threats.
“There is a hacker attack every 39 seconds.” Source: Cybint
To make remote work possible we balanced cybersecurity risks and business continuity. We expanded multifactor authentication to all the cloud applications used in the company. Additionally, we improved system monitoring and reviewed the security processes. These measures complemented those required by the ISO-27001 Information Security Management System (ISMS), which we finished implementing before getting certified in 2018.
Another important measure was to use cloud solutions with good security profiles. They are all from major providers like Microsoft, Adobe, Salesforce, and Atlassian. Multifactor authentication, IP whitelisting, and complex passwords ensure safe access to their platforms.
Even before the pandemic, one of our top priorities was to create a cyber security culture at Fortech. The new circumstances made us fast forward the project. We focused on training our people on understanding the threats and incident prevention.
Furthermore, we created a framework for sharing information on cyber security best practice. Both project teams and departments use it in their projects. The framework helps our people understand how cyber-attacks occur. It also helps them prevent intrusions. Understanding that each person can create several points of entry for hackers is crucial.
Our IT department complemented the framework with other effective measures. Recommending external sources of information is one of them. The top 10 list of critical security risks from OWASP is another good example. Each threat in this list is ranked by several factors. Among them are its agents, ability to exploit, technical impact, and business impact. The list also helps our engineers with API security.
Hackers use behavioral patterns of employees in all demographic groups to exploit vulnerabilities. Using variety as a weapon makes them dangerous and difficult to predict. To limit cyber risks, companies must follow suit. Emphasizing diversity in their teams is a first step in this direction. At Fortech, the real opportunity to build diverse teams came with the pandemic. Having to work only remotely, we started to look for collaborators all over Romania. This approach greatly expanded our reach.
To identify patterns in data from a diverse set of people one needs specialized software. Hackers are already relying on artificial intelligence (AI) to coordinate their attacks. To face such threats companies must adopt similar solutions. Fortech is already analyzing AI-based solutions for the detection of abnormal network behavior. Choosing and implementing the right application is costly and time consuming. On the bright side, the positive impact on our security profile will be well worth the effort and the wait. Such solutions will greatly benefit us and our clients.
According to the Cost of a Data Breach report published by IBM, the global average cost of a data breach is $3.9 million. This makes the time and money invested in an effective AI-based solution seem trivial.
As mentioned earlier, hackers force entry by mimicking typical behaviors in the company. They do this using machine learning algorithms. These algorithms rely on vast amounts of relevant data. They learn by repeated trial how to use it best to deceive the targeted persons and how to choose the targets for the next attack.
To counter, companies should use AI to identify the most exploitable behavioral patterns. This can help them improve threat prevention and detection. Another great use for AI is the security awareness training. These measures may help create a true cyber security culture fast.
Companies do not face security threats only from hackers. Employees may lose the company hardware entrusted to them, for example. To address the risk, we use encryption following our Cryptographic Control Policy. For data at rest, we encrypt all the editable partitions. We rely for this on BitLocker, FileVault, or other similar tools. Further, we protect the integrity of the encrypted information. For data in motion, we use encrypted network connections. We apply encryption for:
- transmission of sensitive files,
- accessing sensitive data from anything with a web interface, including mobile devices,
- all the network traffic used to access the virtual desktop environment remotely,
- transporting sensitive data that is part of a database query or web service call. Such calls may be SQL queries on a database or a Restful web service calls to a cloud application,
- privileged access to network or server equipment for system management purposes.
To encrypt sensitive files for transmission we use secure FTP, SCP, or VPN. To access sensitive data via a web interface, we encrypt it using HTTPS.
We make sure we only secure what we must and limit the data exposed in case of breach. For this, we decide what data is critical to our business and what is not sensitive. We also decide what we should protect to meet regulations. We then decide what we must store and protect all the mission-critical data at the level required. Last, we only store the data for as long as we need it.
More than 77% of organizations do not have a Cyber Security Incident Response plan”. Additionally, most companies take almost 6 months to detect a data breach, even major ones”. This is not the case at Fortech, where we apply appropriate policies and processes.
If an incident still occurs, we respond by following the incident management process. Depending on the situation, we apply different techniques to address technical vulnerabilities. The first choices are segregating the affected systems and deactivating the affected service. We can then amend access opportunities via firewalls or apply changes to monitoring.
We also have documented and tested processes for disaster recovery management. Furthermore, IT service and business continuity are guaranteed at Fortech.
Moving all the workforce in remote mode drove huge leaps in cyber security at Fortech. Such advances might have taken us years in normal times. We started by creating a cyber security culture and implementing new processes. In parallel, we emphasized resilience and diversity in the teams. To keep up with the hackers we will soon adopt AI solutions.
The pandemic brought us the opportunity to create foolproof remote offices. It also triggered improvements in our remote communication. Last, it made us explore new features for our security and enterprise systems.
Keeping the data entrusted to us by our clients secure is Fortech’s top priority. To guard it we will enhance our security measures continuously.