Every organisation is a software organisation but for healthcare providers and pharmaceutical organisations, the stakes are high when it comes to data breaches. In a healthcare setting, software security problems can have direct effects on patient health. In addition, regulations like HIPAA (US) and GDPR (Europe) add a layer of complexity. Organisations must manage software security and data security properly, but they must also be able to demonstrate compliance with applicable regulations.
With that in mind, Jonathan Knudsen offers his ten top tips to help organisations avoid data breaches.
1. Make software security a first-class citizen
Does your organisation have a Software Security Initiative (SSI)? If not, create one. Make managing security a top-level concern, with a dedicated team. The security team should be outgoing and evangelical, in the sense that they help the rest of the organisation understand software security and implement processes to reduce risk. Give the security team the authority to guide the entire organisation into good practices.
2. Make everyone responsible for security
Don’t be fooled into thinking that the security group is responsible for all things related to security. Security really is everyone’s responsibility. Your organisation needs to let all employees know that security is a priority; the security team is there to help, teach, and advise.
3. Make decisions based on risk
Software security can be difficult to understand, and there is no shortage of vendors offering products and services. How do you know where to apply your time and money most effectively? The answer is to view software security through the lens of risk. What are your most valuable assets? What types of attacks could occur? What steps could you take to get the greatest reduction in risk? The answers might surprise you; sometimes simple steps can have a big impact.
4. Educate your employees
Training is an important step. You cannot make everyone responsible for security if everyone does not understand security. All employees should have fundamental security training at regular intervals, and this training should be supplemented with exercises that help make knowledge sticky. For example, providing training that instructs users to avoid clicking on links in unfamiliar emails is a good idea, but an even better idea is to periodically send employees such emails and let them know when they click a link that shouldn’t be clicked.
5. When you build software, build security in
If your organisation creates software, use a Secure Software Development Life Cycle (SSDLC). This means that security is a consideration at every phase of development, from design through to implementation, testing, and maintenance.
Getting security built into the process is the most important step. The security team can provide help and expertise in getting this right. Security testing tools should be automated and integrated with the development process so that they become part of the day-to-day work of the development team.
6. When you buy software, ask questions
When you are procuring software, make sure your vendors are following an SSDLC. Ask them for documentation of the process they use. Ask for security testing results. If you have the resources, get a copy of the vendor’s product and perform your own independent security testing. Get as much information as possible so that you can make informed, risk-based decisions when you are selecting products to use in your own organisation.
7. Use threat modelling to design systems
Threat modelling is a way of thinking about attackers and how they might compromise your systems. It is a useful exercise during the design phase of a software development life cycle but is equally informative when designing systems or networks.
8. Use two-factor authentication
This might seem like a simple top tip, but it is important. Many attacks and breaches are based on compromised credentials, in which an attacker obtains or is able to guess a legitimate user’s password. Implement two-factor authentication to make such attacks far more difficult and, consequently, data breaches far less likely.
9. Be prepared
Remember, risk can be lowered but never eliminated. Even when you do everything right, bad things still happen sometimes. Don’t be caught unaware. Make sure you have solid, tested plans for incident response and recovery.
10. Treat security as an enabler
Security needs to be part of everyday business. When properly implemented, security helps every aspect of the business run better. If you’ve made the investment to think about security holistically, to plan systems and networks properly, and to follow best practices, then security is the grease that helps your organisation’s machine run more smoothly. While security might seem like an unwanted and costly obligation, when treated correctly, security helps streamline your business and propel it forward.