[BreachExchange] ‘Secure by Design’: why are so many businesses failing?

Destry Winant destry at riskbasedsecurity.com
Thu Mar 29 00:01:01 EDT 2018


https://www.cso.com.au/article/635453/secure-by-design-why-many-businesses-failing/

Ransomware, data breaches, phishing attacks, and most recently,
‘cryptojacking’…barely a week goes by without yet another example of a
security breach hitting news headlines. While most businesses are
aware that operating in an online environment puts them at automatic
risk of a cyber-attack, many are still failing when it comes to basic
security hygiene – particularly when it comes to the planning and
implementation of new IT systems.

While common sense would dictate that security vulnerabilities are
more expensive and time-consuming to fix after the fact, project teams
still tend to overlook (or completely cast aside) security until much
later in the design process. Not only does this put the project itself
at risk (think missed deadlines and added cost), but an unsecure
system can also result in significant financial or reputational risk
to the entire business.

The reason why businesses – or more specifically, project teams –
continue to take such a relaxed approach to security is something that
continues to baffle security experts. With Australia’s new data breach
reporting laws having come into play last month, it’s more important
than ever that Australian businesses take a more considered approach
to the security of IT systems.

In reality, businesses should take a ‘Secure by Design’ approach not
only to reduce the likelihood of projects running into unexpected cost
but also avoid exposing the business to unnecessary risk.

Security often ‘tacked on’

It’s true that the security aspect of any new IT system probably isn’t
going to be the thing that gets the project team excited. Security
relies heavily on people and process – and everyone is likely to be
focused on designing and building the incredible technology and all
the things it can do. Unfortunately, it’s precisely this sort of
short-term thinking that leaves vulnerabilities in your IT that can be
easily exploited by cybercriminals.

One example of this in action is the recent hack of an Australian
defence contractor, which saw information about Australia’s Joint
Strike Fighter program and additional military hardware stolen.
However, despite the constant barrage of highly public security
compromises, and the significant financial and reputational impact
they have, the level of maturity and awareness relating to business
risk and information security is mixed at best. Government does tend
to be somewhat ahead of the game, however much of the private market
is immature with a tendency to rush into delivering the functionality
desired by the business.

Unfortunately, for many businesses it often takes a negative
experience to put the topic of information security on the agenda.
Aura’s team is regularly called upon at the last minute to help
remediate security vulnerabilities that could have easily been fixed
much earlier in the project.

Why be ‘Secure by Design’?

A ‘Secure by Design’ approach allows businesses to identify security
risk in the early stages, and remediate vulnerabilities when it is
most cost and time effective. Essentially, ‘Secure by Design’ is about
proactively managing your information security risk throughout the
project, which in turn enables you to deliver a secure outcome to your
business.

Think of it this way: Imagine trying to retrofit seatbelts, airbags,
and crumple zones to the design of your car – sounds hard, doesn’t it?
When you buy a car, you sort of expect that the manufacturer has
considered all of those safety features before they started thinking
about performance and aesthetics. The same should apply when
implementing a new IT system.

The security lifecycle

Whenever you implement something new, or make a significant change,
you run the risk of introducing security vulnerabilities. ‘Secure by
Design’ aims to give businesses’ visibility of these risks as early as
possible, so they can manage them most effectively.


More information about the BreachExchange mailing list