Improving Security in Software Outsourcing
05 February 202121 January 2021 | Business Processes
Table of Contents
- Main Security Related Challenges in Switching to Remote
- Common Entry Points for Hackers
- Addressing the Threats
What we witnessed in 2020 is a once in a lifetime event with staggering, long lasting economic impacts. With roughly a third of the world in lockdown, many industries in standstill and people afraid to leave their houses, employers have been struggling to adapt to the remote working paradigm.
In this article we will be discussing the pressures that this shift has put on security at Fortech and the measures that we have been taking to address them. The magnitude of these pressures is made clear by the 300% increase in cybercrime reported by the FBI since the start of the pandemic.
Keeping our employees secure in their home offices and meeting legal and regulatory requirements have been our top priorities since switching to remote. Being a provider of software outsourcing services gave us a significant head start. When the pandemic struck, Fortech had already implemented many of the systems required for remote working, mainly for customer-facing activities. Expanding them to all our personnel and activities within a few days was no easy feat. Moving all the people to home offices required ingenuity, resilience, and utmost agility. We swiftly assembled a decision committee that put together all the measures needed to ensure the fast and smooth transition, communicated frequently, comprehensively, and clearly to the Fortech personnel all the decisions affecting them, and adopted new cloud tools for communication, among others.
While these first steps challenged us, they were only the icing on the cake. As hackers are learning how to exploit the coronavirus theme in their attacks, preventing and blocking them has put our IT department in overdrive.
“The pandemic and adjustment of our business to the remote model determined a major contextual shift in security and data protection. The battle ground between the ‘security defender’ and the ‘attacker’ moved from an environment with a high level of protection and mature security processes to the home office, which is considered unsafe and relatively unknown. This shift multiplied the number of targets for attackers proportionally with the number of employees” – Florian Rada, IT Manager, Fortech.
According to Cisco, “billions of IoT devices are already connected, with 75 billion due to arrive in the IoT market by 2025”. All these connections can be exploited by experienced hackers unless the owners of the devices take the threat seriously.
“95% of breached records came from only three industries in 2016. Government, retail, and technology. The reason isn’t necessarily that those industries are less diligent in their protection of customer records. They’re just very popular targets because of the high level of personal identifying information contained in their records.” Source: Cybint
These statistics make it clear that a drastic measure like moving everyone to home offices in a few days could not be free of challenges and risks. We faced many hurdles in the process, of which we will mention several that are related to security.
Individual staff members have been reporting slower Internet or VPN connection than from the office. To fix the second issue, the IT team responded quickly by expanding the infrastructure. For the first, they offered advice on how to effectively use the available capacity. While these aspects may seem serious enough, the real challenges came from our clients with projects that we had to run on custom infrastructures and networks from Western Europe and the United States. Enabling remote access in each instance required working together with our clients, creative thinking, and swift decisions. It also meant that we had to train some of our clients on cyber threats and work hard to convince them to invest in minimizing the risks of attacks.
A considerable number of our clients operate in intensely regulated industries like financial services, healthcare, and automotive. These industries are also among the most targeted by hackers. According to the HIPAA Journal, “9,710,520 healthcare records were exposed” in data breaches in September 2020 alone.
To address cyber-crime threats and comply with the strict industry standards we had to apply the tightest security measures possible, constantly adapt and predict, be creative and proactive.
Our efforts, ingenuity, and customer-centric approach paid off in all the cases, the full switch to remote being completed smoothly and within the agreed deadlines.
To this point, we experienced no major troubles with the remote working setups and communication within our remote teams kept improving.
“The majority of the cyber-attacks, (93%, looking at even last year in the United States), have occurred because of preventable human error.” Source: Information Age
Such errors come in three main forms. First, developers may unwittingly include in the application malicious code like logic bombs, backdoors, or sniffers. Second, they might simply make normal human errors or fail to follow best practices, leaving the software open to attacks. Last, anyone in the company may be tricked to open a message that seems to come from a trustworthy person within the organization.
Hackers are experts not only at creating malicious code but also at impersonating someone you trust in the company, like your CEO or the head of a functional department. They intensely study the routines in the businesses they target to find ways in. Getting a message to change your Office 365 password within the time frame in which you would normally receive it from the real system is a typical way of stealing passwords and/or installing malicious code. Beware that such a message can look so real that without carefully checking its authenticity by having a look at the email header or hovering the mouse over the links in the message body you could easily be tricked to follow the instructions.
For a software company like Fortech, maintaining high quality coding practices has been the top security concern in normal times. The constantly increasing complexity of the software applications and the software development environments, coupled with the tight deadlines, required increased efforts from our engineers to avoid coding errors.
In the new context, we are equally worried about the vulnerabilities brought on by moving our entire workforce to home offices spread throughout Romania. To ensure business continuity, we decentralized operations. This is a complex process that normally takes far more than a few days. Unlike businesses operating in other industries, we already had all the critical business applications set for home use when the pandemic struck.
Despite our head start and extensive exposure to remote working, we still face a fair share of threats, which we take fast and strong steps to address.
“There is a hacker attack every 39 seconds. A Clark School study at the University of Maryland is one of the first to quantify the near-constant rate of hacker attacks of computers with Internet access— every 39 seconds on average, affecting one in three Americans every year —and the non-secure usernames and passwords we use that give attackers more chance of success.” Source: Cybint
With all our employees currently working from home and the hybrid approach in mind, the IT department at Fortech balanced cybersecurity risks and business continuity by expanding multifactor authentication to all the cloud applications used in the company, improving system monitoring, and reviewing the processes and plans that address potential cyber security incidents. These measures complemented those required by the ISO-27001 Information Security Management System (ISMS), which we finished implementing before getting certified in 2018.
As for the cloud solutions we use, our main protective measure is to acquire them from major providers like Microsoft, Adobe, Salesforce, and Atlassian. To ensure safe access to their platforms, we rely on multifactor authentication, IP whitelisting, and complex passwords.
Even before the pandemic, one of our top priorities was to create a cyber security culture at Fortech. Given the new circumstances we fast forwarded this project, focusing on training all our people to understand the threats we are facing and on how to prevent security incidents.
To complement the training, we created a framework for sharing information on cyber security best practice between project teams and between departments. Our people should understand not only the different types of cyber-attacks, weaknesses that hackers exploit, and the reasons behind such attacks, but also how to protect the company and the software they create against intrusion. They should also understand that each of them has vulnerable devices and can create multiple points of entry.
To increase awareness of cyber security among our engineers, our IT and Security department recommended all the specialists coordinating web projects to consult the top 10 list of the most common and critical security risks published by the Open Web Application Security Project Foundation (OWASP). In this list each threat is ranked by factors like its agents, ability to exploit, ability to hide, frequency, technical impact, and business impact. The list also helps our engineers with API security.
Hackers exploit vulnerabilities by using the behavioral patterns of employees in all age and ethnic groups, professions, positions, and religions. Using diversity as a weapon is what makes them extremely dangerous and difficult to anticipate. To limit cyber risks, companies must also diversify their thinking process by relying on different types of people and emphasizing diversity in their teams. While Fortech has always been an equal opportunity employer, hiring people regardless of age, gender, or nationality, the real opportunity to diversify the teams came with the pandemic. Being forced to work only remotely, we started looking for collaborators all over Romania, thus greatly expanding our reach.
Gathering data from a set of people that is diverse and representative enough and identifying patterns in it requires the use of specialized software. Hackers are already relying on artificial intelligence (AI) to coordinate their attacks. To face such threats companies must adopt similar solutions. Fortech is already looking into AI-based solutions for the detection of abnormal network behavior. Choosing and implementing the right application is costly and time consuming, but the positive impact on our security profile will be well worth the effort and the wait. Such solutions would greatly benefit us and our clients.
According to the Cost of a Data Breach report published by IBM, the global average cost of a data breach is $3.9 million. This makes the time and money invested in an effective AI-based solution seem trivial.
As mentioned earlier, hackers can force entry by mimicking processes or typical behaviors in the company. They do this by employing machine learning algorithms, which are fed vast amounts of relevant data and learn by repeated trial how to use it best to deceive the targeted persons. Such algorithms can even be programmed to learn by themselves how to choose the targets for the next attack.
Using AI to find out which behavioral patterns are the most likely to be exploited would allow companies to improve threat prevention and detection. In addition, adopting AI solutions for the security awareness training may help create a true cyber security culture in the company fast.
Companies do not face security threats only from hackers. Employees may lose the company hardware entrusted to them, for example. To address such a risk, Fortech relies on encryption, which is governed by our Cryptographic Control Policy. The encryption methods we use are for data at rest and for data in motion. For data at rest, we encrypt all user-writable partitions on portable devices and portables storage media with BitLocker, FileVault, or other similar tools. In addition, we protect the integrity of the information held encrypted. For data in motion, which is targeted by hackers, we rely on encrypted network connections. We require encryption for:
- transmission of sensitive files,
- accessing sensitive data from anything with a web interface, including mobile devices,
- all the network traffic used to access the virtual desktop environment remotely,
- transporting sensitive data that is part of a database query or web service call, such as using SQL query to retrieve or send data from a database or a Restful web service call to retrieve or send data from a cloud application, or
- for privileged access to network or server equipment for system management purposes.
To encrypt sensitive files for transmission we use secure FTP, SCP, or VPN, while to access sensitive data via a web interface we encrypt it using HTTPS.
To ensure that we only secure what we must and minimize the data exposed in case of breach, we decide what data is critical to our business, what must be protected from a regulatory perspective, and what is not sensitive. We then decide what we must store, what does not require storing, and ensure that all the mission-critical data is protected at the level required. Lastly, we only store the data for as long as needed.
More than 77% of organizations do not have a Cyber Security Incident Response plan” and “most companies take nearly 6 months to detect a data breach, even major ones”. This is not the case at Fortech, where we have policies and processes in place and the right people to implement them.
If an incident happens despite all our protective and preventive measures, we respond by following the incident management process. Depending on the situation, we address technical vulnerabilities by segregating the affected systems, deactivating the affected service, amending access opportunities, such as via firewalls, applying changes to monitoring, and raising user awareness.
To get ready for the worst, we have documented and tested processes for disaster recovery management, IT service continuity management, and business continuity management.
Moving all the workforce in remote mode almost overnight forced Fortech to take huge leaps in cyber security. Such advances might have taken us years in normal times. The company reached this point by creating a true cyber security culture, documenting, adding, and implementing new processes, and emphasizing resilience and diversity in its teams. We will soon take security a step further by adding AI solutions for threat prevention and detection and for security awareness training.
The pandemic brought on the opportunity to create foolproof remote offices, improve remote communication, and explore new features for our security and enterprise systems.
As the hacker-target race will not end with the virus, we will continue all the current security projects after re-opening the offices and start other initiatives when necessary. Keeping the data entrusted to us by our clients secure shall always be our top priority and receive all the resources required.