Any software or web app can have security vulnerabilities – just ask Google, which recently announced it had fixed a bug that allowed hackers to steal passwords from Google accounts.
The bug was discovered by a security expert who was able to exploit a weakness in the way Google web apps work. The security expert sent a link via email that announced a user's password was stolen and requested they reset their account information.
When users clicked on the link, they were taken to Google's account reset page. What users didn't see was that after they clicked, they were momentarily taken to the attacker’s page, which ran a script that would steal their new password and authentication data after they entered it. A flaw in Google web apps allowed this mirroring.
If you keep track of cyber security news, you'll read stories like this every week. For instance, in the last few days, new revelations show that Apache Tomcat and Debian Nginx were vulnerable to malware exploits.
The prevalence of these attacks emphasizes how important it is for your business to test software for bugs and security weaknesses so you can avoid the reputational damage and high costs associated with data breaches.
Security Testing: Vital for Software Companies Handling Confidential Data
In addition to triggering fines you for enabling or failing to prevent data breaches, security bugs in software or web services could lead to cyber liability lawsuits. As these threats grow, testing software becomes more and more crucial.
To adequately manage these risks, a software risk management plan should do the following…
- Maintain high levels of security. Twitter recently announced that it was enabling forward secrecy encryption for user data. The social media company is following the recent trend of other web giants (Google, Dropbox, and Facebook), which are taking extra steps to guard user data. Perfect forward security encrypts each session between users and company servers with a unique encryption key. Because each session is uniquely encrypted, it limits the amount of data hackers could potentially steal and makes it harder to decrypt. As the owner of an IT business, it’s your legal responsibility to stay on top of trends in cyber security, updating security protocols to reflect new developments and prevent new, more sophisticated attacks. Whether that means encrypting data, educating employees, or installing high-quality security software on your computers, you need to act as a steward for user data, guarding it from hackers and data breaches.
- Test for security. I opened this article with a recent example from Google that emphasizes how important software testing can be. Software testing can reveal a potentially devastating vulnerability before it's too late, and prevent you from being sued. In our post "Software Testing: A Growing Market for IT Professionals," we went over some of the techniques software testers use to check their products. But it's important to keep in mind that even after you deliver software to clients, you are responsible for making sure it isn't vulnerable to attacks. What does that mean for small IT companies? You may have to update software in response to new malware and other threats. For a recent example of this problem, check out our article "Stale Coffee: Old Versions of Java Expose Programmers to Cyber Liability," which explains how problems with Java 6 could leave your old programs vulnerable.
- Protect your business from data breach costs. Between fines, legal fees, notification, and credit monitoring costs, a data breach can cost your business thousands of dollars. The Ponemon Institute, a cyber security research group sponsored by Symantec, found that cyber breaches cost $188 per stolen record. Let's say you suffer a small data breach and a cyber criminal steals a spreadsheet with a 100 customer records. Even for this small breach, you could expect $18,800 worth of expenses. For a business with 1,000 transaction / customer records, you'd be looking at a $188,000 bill. Cyber liability Insurance (also called Data Breach Insurance or Cyber Risk Insurance) can cover a lawsuit when a hacker breaks into your network or steals data from a client's computer. In addition, this insurance pays costs associated with a data breach, including customer notification and credit monitoring (which are two of the most expensive aspects of a data breach). For some businesses, this coverage is included in an Errors and Omissions Insurance policy. One software defect could lead to a long, expensive lawsuit. Fortunately, in addition to offering some cyber security, E&O coverage pays for lawsuits over errors in your code.
Keeping up with security, testing software, and protecting your business with IT insurance are three key components to a comprehensive risk management strategy. Your business might not be the size of Google or Twitter, but you can learn a lot from their efforts to test software and prevent data breaches.