The foundations of building a secure product

229. That’s the average number of days that it takes to find a security breach, or at least the known-about security breaches. In reality, the number will be a lot higher, as there will an array of unknown breaches out there.

During 2017 there were over 4000 ransomware attacks every day in the US, up from 1000 attacks a day in 2015. The cost of global damages from cyber attacks in 2017 … a whopping $5 billion.

When starting out, every founder will know how important it is to build a product the follows standard security practices. Even one wrong move can cost your company a lot of time and money, and even worse, loss of customers. Yet for some reason, security is not prioritised. When it reality, once you’ve decided to go off into the unknown and build your new venture, it should be the first thing you think about.

We teamed up with DXW Digital, who led a discussion on how to build security in to your product from the get go.

During the session we touched on 5 thinking points and first step measures to start building out security in your platform from day 1. If you have a good grasp on all 5, you’re likely to be ahead of your competitors, and more often than not, being ahead of your competitors is what prevents you from an attack.

1. Penetration Brief: What is the worst thing that could happen if your company’s security is breached?

You can begin to tackle this monster of a question by listing out the things you want to protect, which includes but is not limited to: physical infrastructure, virtual infrastructure, data, third-party services, dependencies, premises, people, your brand. Once you have defined what the worst outcome would be, you can chip away and build on the security continuously over time to ensure the worst outcome never happens.

2. Threat Assessment: What are the things that mustn’t happen to your organisation? And who would gain from those incidents?

This can be a whole array of disasters, from data breaches, to IP theft, defacement, denial of service, unauthorised changes, fraud, stalking, doxxing. Define what the absolute-must-not-happens are within your organisation. Assessing who would benefit from those incidents, internally and externally, can help develop the thinking on threat assessment.

3. Vulnerability Analysis: How will you know if a breach does happen?

Put simply: Figure out what it looks like when bad things happen, and ensure you know when they are happening. You can start by monitoring something, and see what it looks like when it goes wrong. Use that to get alarms in place, such as on elastic search or AWS. Over time, refine the good alerts, and get rid of the false positives, and continually build on the knowledge of your response to any given alert.

4. Preparation: How are you planning for an attack?

— Incident response: Have a incident response plan in place in case your company is breached. This needs ownership, allocate to a single person or team to oversee and manage the response. In the unfortunate event that your company is attacked, you’ll be able to respond much faster and more effectively with a preexisting plan in place. Not having a plan can raise the cost of a data breach 15% higher. Do not wait until disaster strikes to deal with your company’s data security.

— Disaster recovery: How long would it take you to get your production infrastructure back up and running? Ensure you are doing training drills with your team to prepare.

— Long-term follow up: Do you currently have a plan to fix one or two security issues per week? If not, build out a roadmap to do so. Make security a natural, ongoing and progressive process.

— Situational awareness: Most companies store data in a variety of locations. You should have full awareness of where the private or sensitive data is stored. Ensure a firewall is in place, systems are being patched, backups are being made and user accounts have strong passwords.

— Skills development: Never underestimate the importance of growing the team’s skills to protect your product. Each team member needs to be able to spot the red flags. It should be part of your employee on-boarding and subsequent regular training.

— Organisational Buy-in: It can be extremely damaging to hold one person accountable for a data-breach in an organisation, because if a security breach does happen, they may try to hide the situation and handle it alone. This could end up making the breach worse, and if you have compliance requirements to report data breaches, you can’t report it, which could lead to penalties if it is later discovered. It is always best to have an open culture when it comes to data breaches.

5. Reporting: What would you do about a data breach?

Do you have full awareness of what you need to report and to whom, should an attack happen? From 25 May 2018, mandatory breach notification is being introduced under the General Data Protection Regulation (the GDPR). This will introduce a duty on organisations to report various breaches on personal data within 72 hours of becoming aware of the breach. You can read more on the ICO’s website.

Those are 5 basic data security measures, and should be the minimum considerations. However, you never really know how well you’re protected until you take a look from the perspective of a malicious attacker or a rogue insider. That’s why it is good practice to have regular (third party) penetration tests on your computer, network, and web systems to evaluate the security and find the vulnerabilities that an attacker could exploit. Bringing in a third party can give a fresh perspective. They’re not caught up in the bureaucracy of the business and they have nothing to gain politically.

A good penetration test will have a clear objective based around the core principal: What is the worst thing that could happen to your organisation? If it’s your first penetration test, it is likely they will find some serious issues, and provide some extensive follow ups. If the analysis seems lightweight, it’s likely that the testing was also lightweight, so you might want a second opinion!