It may seem that digital security for B2B projects is an exceptionally challenging task. With all the intricacies, peculiarities, and complexities within the industry, it surely can take significant time and effort. But should cyber security be that difficult to achieve?
Each year, one of the biggest insurance companies in the world – Allianz, interviews many non-technical top managers from around the world. The surveyed need to answer just one question – pick a business risk(s) that they expect to be most impactful for their businesses. For several years in a row, cyber incidents ranked first.
Here is the full ranking from Allianz Risk Barometer 2023:
This demonstrates that though this is not within their area of expertise, non-tech specialists understand that cyber threats are among top business risks. And that is why non-tech managers should be involved in cyber risk management as well. As delegating all cyber risks to tech teams means assigning a huge part of business risk to one division only.
Effectively collaborating with tech teams lets them better understand your business and business goals. This leads to exhaustive comprehension of how cyber risks impact your business and processes. Which results in a better defense strategy.
Another point worth noting is that cyber security is not only about technology. You may think that using the best tools, working with top companies, relying on apex software/hardware will secure your sales from cyber threats. Unfortunately, it is not that simple. For optimal protection, you need to apply each aspect of the golden triangle of cyber security:
This is the golden triangle. It is meant for building cyber security inside your product/company – it does not depend on what you want to protect. And if we are discussing products, software or hardware, we need to remember that if one wants to build a secure product, they need to implement this whole triad: technology, process, people.
Cyber security should not be viewed as an outer shell meant for defense. It needs to be an integral element within your project – the core component of the corporate culture.
If you set up the basis correctly, digital safety can become a systemic and easy-to-navigate process. Making cyber security the focus point of risk management and business strategy significantly reduces your vulnerability to digital threats and advances the ability to withstand any attacks. In the long run, this helps achieve greater and lasting profit. So, let’s discuss what aspects should be included in this process.
It does not matter what type of application you use or develop. You need to implement at least partial testing, even for ready-to-use apps. You can rely on own team, hire cyber security experts, external QA services, consultancies, or ethical hackers. This partial testing should include the following:
Security professionals will need to find well-known/common vulnerabilities and determine security weaknesses within your network specifically. They also need to consider issues in configurations or code in ready-to-use applications.
Here, specialists log into your app and check everything from the inside, including business logic and certain types of privilege escalation (when some users are able to obtain unintended access, rights, permissions). It aims to find out what black-hat hackers can do in case they gain access to your project. Thus, this testing should be mandatory for application security.
For this, an ethical hacker or a QA company tries to locate logic or technological issues without signing into the application (an attack from the outside). For example, they can exploit repetitive actions that may lead to DDoS or slow down the system. Consider registration spam.
When there is no set limit for some requests to your application, malicious hackers can spam your registration system with multiple requests or use email/SMS bombing (in case you have additional verification for your clients/users).
So, when you are securing your application, remember the three tiers of testing: vulnerability-based, authenticated, anonymous.
You have probably heard about the NotPetya cyber attack. This attack was carried out almost six years ago, targeting Ukrainian infrastructure. At that time, black-hat hackers breached local software developers that worked on a product for taxation. They implemented a backdoor to the app’s update and spread the modified version to all users. So, they penetrated not the application itself, not the front or back end – they penetrated the infrastructure of software developers and implemented malicious code inside the updates of the application.
To test your developers’ infrastructure, you need to perform technical audits (e.g., penetration testing) and process audit (e.g., checking a certain process, like password and patch management policies or backup procedures). While tech audits are designed to imitate a cyber attack (in the form of pentests), process audit covers your policies, bases, and laws of cyber security inside the company. This combination allows you to better protect a system on both fronts.
If you are a developer of a software project, you probably have a standard, classical software development lifecycle. But, you should consider the concept of ‘security by design’, i.e., building a secured product from the ground up. For this, you would need to:
Also, you need to reassess application risks after each new feature and upgrade. And this should be continuous, not a one-time venture. Security should be made a consistent process.
Training should not be limited to technical specialists only. Cyber hygiene and cyber awareness are a must for non-tech teams as well. Hence, you need to:
Because sometimes, improper configuration of your technologies, e.g., protection software/hardware, can lead to security weaknesses and vulnerabilities. And many of our own projects have shown that tech teams may occasionally leave unpredicted infrastructure entrances for black-hat hackers.
You can use cyber hygiene approaches, rules, and cyber awareness programs to propagate digital protection. And if they request some additional/specific training, you need to be prepared to approve and invest your money in it. Because the low qualification of your personnel will lead to security weaknesses.
And do not forget about testing as well. Because if you just edify the teams without practice, they will forget about everything in a few weeks maximum.
To further reinforce the project, you will need to build a cyber security culture inside your company. In this way, everybody will understand why they need to follow cyber security rules. For example, they should fully comprehend the reason behind choosing strong passwords, using multifactor authentication, etc. If you just enforce such rules without reaching full understanding, your employees will not grasp the implication of cyber risks, their consequences and impacts on the company. And such a cyber security program will be unsuccessful.
Additionally, you need to remember that your environments and subcontractors can influence your business/product as well (as is the case with supply chains, for instance). You may have heard about the SolarWinds cyber-attack on one of the biggest software developers with the same name. Black-hat hackers breached their system and implemented a backdoor malware as an update, affecting a lot of US and European companies. They encrypted the infrastructure and demanded a ransom to decipher the data.
That is why you need to embed cyber security in your business ecosystem. Security is the responsibility of everyone in the company: tech specialists, top managers, and non-tech experts.
With this global collaboration, risk management will allow you to translate cyber risks into business risks and calculate losses and investments in cyber security.
If you are a software developer, you need to start from scratch when designing the application and implement the cyber security approach. For example, OWASP has a first-class framework for software developers. OWASP ASVS is the foundational set of rules for software developers on how to build a secure product for every PL and every technology. This framework discusses everything you need to know about cyber security for your product.
When it comes to cyber security, a multi-side approach is key. When you implement cyber security into every corner of your organization will you achieve the optimal level of digital protection. Without this philosophy, there is no real success. A lot of risks await your business, and to effectively counter them, you need to make cyber-safety one of the building blocks of your project.
And back to our central question: should cyber security be that difficult to achieve? It can remain challenging for many companies, but probably not as challenging as some suppose. Start with finding cyber security partners/consultants with relevant experience, and they’ll help you set the right course.
Quality control is obsolete. The spread of Agile, DevOps, and shift-left approach has pushed traditional…
Be honest, if your phone disappeared right now, your world would be in shambles. Data…
Teams have a love-hate relationship with Android. It’s highly customizable and has an incredibly vast…
Apple applications are easy to test. Compared to Android, that is. But when it comes…
Result-driven QA isn’t always about planning and strategizing. Sometimes, the best thing for your product…
A flimsy UI doesn’t lead to customer frustration, negative reviews, and high churn. When people…