2017 was exceptionally instructive for companies curious about what not to do when it comes to cybersecurity. There are two major takeaways we can learn from the past year:
As we move into 2018, almost every organization relies on the web to build their business. Consequently, every company needs a cybersecurity plan.
Data breaches are preventable and could have been avoided in these situations if these companies had adhered to security best-practices.
It’s with this second point in mind that we dive into 5 ways in which you can protect your business from data breach and cybersecurity threats.
1. Build applications that are secure by design
When it comes to application security, the best defence is a good offence. This means baking security into your Software Development Life Cycle (SDLC). The best way to go about this is through Threat Modelling.
Threat Modelling is a method used to identify the security posture of an application. By performing an assessment of the application during the design phase, Threat Modelling enables you to identify potential threats, so that you can ensure the proper security controls are in place to prevent data breach.
In addition, penetration testing and source code analysis needs to take place during development, not as an afterthought.
Doing this ensures not only a secure application by design but also smoother application development. It’s harder to retrofit security into a completed application than it is to build it into the development cycle.
2. Keep your applications up-to-date
This is true of both applications developed in-house, as well as those built by a third party. Keeping your apps up-to-date gives you the best chance of fending off a security threat. It also ensures that, should a data breach occur, you are less likely to be held liable. Therefore, ensure application code, plugins and frameworks are kept up-to-date and new iterations of the application are developed with security in mind.
3. Don’t neglect your infrastructure
With all the focus on application security, you need to make sure you don’t forget about your infrastructure. If attackers can’t penetrate your organization through an application, they will look for a way through another system. Consequently, ensure that web servers and other network devices are kept up-to-date, in addition to your applications.
4. Continuously perform security assessments and penetration testing
Security penetration testing is the process of attacking your application or infrastructure to bring vulnerabilities to light. This form of testing should be done after every significant change to an application or on a quarterly basis. All penetration tests should be modelled after real-world threats. For examples of threats to begin testing for, check out OWASP Top 10 Application Security Risks of 2017.
5. Train your employees on security best practices.
If an attacker cannot penetrate your applications or your infrastructure, they will target the weakest link of all: employees. One of the biggest threats to an organization is internal personnel. The click of a malicious link in an email can compromise your entire company.
I cannot stress the importance of employee security awareness training enough. Annual security awareness training should be mandatory for all employees, and you should test employees by performing random simulated attacks, such as phishing.
Above all, ensure you take a proactive mindset to cybersecurity. If you wait until there’s a breach in the media, you’ll find yourself scrambling for an immediate fix. At best, this represents a massive headache and time sink; at worst, you won’t have time to prepare yourself for a cyber attack.
Interested in working at TELUS Digital? Check out our careers page and reference this post in your application.