Own IT: Key Security Considerations When Launching a New System
October 8, 2019
Cybersecurity Awareness Month (CSAM) is a global initiative created by the Department of Homeland Security 16 years ago to recognize the importance of digital security for consumers and organizations alike. Enterprises, employees, and end users alike need to band together to #BeCyberSmart.
Herjavec Group is proud to be a CSAM Champion!
Contributed by Sean Higgins, Co-Founder & CTO, Herjavec Group
New connected tools and technologies are always providing businesses with a way of innovating and modernizing processes, but they also present opportunities for cybersecurity threats that can compromise your most important data.
Despite warnings, security is often the last considering when enterprises launch a new system or technology. While this trend is improving, organizations are having cybersecurity conversations too close to launch dates, which can have many negative repercussions. After all, implementing a strong security program is not an overnight process.
For example, when building a web-based order entry system that will interface with your financial systems, there are a lot of questions you need to ask that will impact the security environment, such as:
Where will the entry system be located: in a data center or in the cloud?
- The easy answer might be the cloud, but where is the data needed for your system located?
- If the data is in a financial system in your data center, does the cloud have secure access to your data center?
- If not, how are you going to securely access the data?
- If you are putting the system in your data center, where will it be positioned in your network?
- Are you going to use an existing DMZ, or build a new one?
If you are going to develop a web-based application, which platform do you plan to use?
- Windows or Linux? IIS or Apache?
- From a performance perspective, you might say Apache or Linux, but does your company have a process for maintaining and patching Apache and Linux platforms?
- Patching is one of the most important ways to make sure your system isn’t an easy target for hackers who leverage old exploits.
What tool kit are you going to use for development?
- Are you going to use licensed or open-source tools?
- While Open Source tools may cost less, ask yourself: are the tools actively being maintained?
- Many organizations are starting to turn away from Open Source tools because of the security risk associated with them.
Have you considered implementing authentication?
- For order entry systems, how will you validate the users of the environment?
- Are you going to use a local authentication system?
- If you are using local authentication, are you going to build your own, or will it be based on an established library?
- Will the data be encrypted?
- Will the data be stored on the web server?
How will new users be created?
Whether you are using a local authentication system, or an internal directory service, you need to consider how you are going to create the users. These are all processes that will impact the overall security posture of your environment.
- Who can create the users?
- What is the process to remove a user?
- How often do you validate the accounts?
- What are the levels of user permissions?
- How are you going to reset the user passwords?
- Are you going to let the users reset their own passwords?
If users have the capability to reset their own passwords and the process is too easy, hackers can easily break into accounts and take them over.
Will you be implementing multi-factor authentication (MFA)?
For web applications, the use of a username and password may be too easy to hack, but rolling out an MFA system can be expensive. The risk of a compromised account may be an acceptable risk based on the value of the data, so it is up to your team to determine, “Is that a risk we want to take?”
If you are integrating with the financial system, are you going to be pulling data (e.g. product codes or inventory balances) from the financial system? In addition, how will you maintain access control for the system? If the system gets compromised, how do you keep the hackers from seeing other sensitive company data?
Owning your security program means making security a priority for any project in your environment. By keeping security considerations top of mind, you may be able to avoid unnecessary data loss or falling victim to cyber crime.
Remember -- the goal of implementing a strong security protocol is to keep risk down to an acceptable level in order to achieve your business goals. Update and maintain an accurate risk register to stay on top of security threats.
To learn how Herjavec Group can help you design a security program for your unique enterprise needs, connect with a security specialist today.