General enquiries :
+44 (0)20 7602 6000

Protect your organisation's credibility with cyber security

Monday 6 April 2020 Cyber Security

Adam Esberger's picture
By Adam Esberger

From cyber attacks to GDPR fines to the risk of legal liability, organisations are facing increased risks from unprotected customer data and developer error. Here, we consider the impact of these vulnerabilities and the measures needed to protect against them.

 

Get GDPR-ready

With fines now in place, organisations are quickly realising protecting customer data has never been more important. High profile hits certainly make the case to get your data sorted, with the first fines under GDPR being levied in July this year. British Airways was stung with a £183.39 million fine by the Information Commissioner’s Office (ICO), relating to an incident in 2018 where the personal data of 500,000 customers were compromised.

This was the first GDPR fine of such a scale, being roughly 367 times higher than the previous record fine doled out to Facebook over the Cambridge Analytica scandal. Such moves are making businesses more aware of the risk of developer error and unprotected customer data, showing how important it is to solve any vulnerabilities as quickly as possible.

With a £99.2 million fine for Marriott International following hot on the heels of BA, there seems to be no slowing down in terms of the risk this poses.

 

Liability – who’s to blame?

Aside from protecting customer data, there are other unforeseen risks companies are having to deal with when it comes to cyber security.

A key concern is the increased responsibility on companies to reduce vulnerability in their systems due to the threat of legal action when something goes wrong. If data and security aren’t managed carefully, this is a real risk. An example we’ve considered is that of an autonomous car. With no one in the driver’s seat, human error is eliminated, leaving only the systems to blame when something goes wrong.

 

But, if it does, who’s liable?

If the car runs using software and machine learning algorithms, which part of the process is at fault? The company who owns it, the agency who built it, or the developer who coded it? This is no small ethical and legal question when you consider the damage that could be done if an autonomous vehicle goes haywire. These security-related challenges need to be addressed and accounted for before, during, and after software development.

While there is no easy way for the industry to address these issues, from our experience, the best approach is a best-in-class secure-by-design software that mitigates risk and removes vulnerabilities. By reducing the attack surface, clients and their customer data is kept safe.

 

The top ten vulnerabilities

These issues, such as GDPR and legal liability, mean there should be no delay in finding the best way to protect customer data and ensuring software development carries less risk. From our experience, the best way to protect against software vulnerabilities is with hack-savvy developers. CACI IIG follow a Secure Software Development Lifecycle, which means processes are put in place to ensure code is secure.

The Security Experts Group within CACI IIG use the OWASP Software Assurance Maturity Model to focus the process of secure development. This is a way for developers to put processes in place to ensure the code is secure, such as using automatic testing and ensuring other developers check the code.

The OWASP’s top ten security risks also provides a standard that developers can work with to avoid publicly known vulnerabilities, such as broken authentication and security misconfiguration.

However, our work at CACI IIG is heavily influenced by our clients’ requirements, which means there is not a single set of rules to make sure software is secure. It is unique to each situation and set of features.

That being said, the developers are still the weakest link and the most pivotal players when it comes to cyber security. Reducing risk is dependent on the developers who code the software, and therefore they should be educated in best practice. While this could be putting too much onus on the developer themselves, when there are multiple other obstacles to get security right, it’s not a bad place to start.

 

Ensuring the best security possible

From internal education to listening and adapting to client requirements, it’s imperative to have a flexible and responsive attitude to security. Keeping on top of best practice and using a defence in-depth strategy throughout all stages of software delivery are some of the many ways we ensure a risk-managed approach to build high quality software and keep customer data safe.

With best practice constantly changing, it’s key that developers have the best awareness possible when it comes to information about breaches. Internal education is a massive part of this. At CACI IIG, our Security Experts Group is made up of five of the most experienced developers. Led by myself, it’s an internal community of developers that ensures security excellence and best practice at all times.

 

The future of security

We believe improving the understanding and education of security principles from the grassroots is the best way to keep ahead of risks for the future, but how can we embed these learnings early on in developers’ careers?

While previously the most important security principles are not taught in school and university – only in the industry – this may be set to change. Important moves in data such as GDPR are having a big effect on the way people view software development and its security. It’s an important mission for the wider development community to look at how this can be improved at the grassroots, something we are constantly looking to achieve.

With an approach where security principles and publicly known vulnerabilities are taught at all levels of a software career, addressing these issues may become simpler and more achievable yet.

If you are interested in discussing your cyber security needs with us then drop us an email on info@caci.co.uk. If you're interested in finding out more about CACI Information Intelligence then click on the banner below.

 

From cyber attacks to GDPR fines to the risk of legal liability, organisations are facing increased risks from unprotected customer data and developer error. Here, we consider the impact of these vulnerabilities and the measures needed to protect against them.

Protect your organisation's credibility with cyber security