The founder of a local cybersecurity firm highlights some of the most common preventable mistakes that can compromise corporate data
“Better safe than sorry” has never been more true when it comes to business. As companies everywhere reap the benefits of a hybrid workforce, they find themselves increasingly relying on web applications to get things done. They’re also starting to think about the data risks associated with working from home.
Businesses have good reason to worry. More than 90 percent of cyberattacks last year deployed web apps, according to a data breach investigations report by Verizon that analyzed almost 80,000 incidents.
Farshad Abasi, founder and chief security officer of Vancouver-based Forward Security, sees a lack of awareness about what’s really behind cyberattacks. “Historically, every dollar that’s been spent on cybersecurity has been spent on infrastructure—securing the computers that people work on, the network and firewalls, virus checkers and all that stuff,” Abasi says. “Companies have been ignoring software security, and now that more than half of the attacks are coming through web applications, they’re not prepared.”
Forward Security. Farshad Abasi, founder and chief security officer of Forward Security
So what can you do to protect your data? Here are five things that Abasi suggests you get cracking on right away.
1. Scan for software-specific vulnerabilities
Network-level scanning is important, but investing in tools that regularly scan your apps for vulnerabilities is analogous to running antivirus software on your computer. “Most companies don’t have ongoing malware detection,” Abasi says. “At best, they’ll go to a third-party company once a year, and they’ll do what’s called a pen test.” Going that route is like running your antivirus software one day a year, Abasi warns. “When it comes to software, pen testing is the least effective method. What they should be doing is design review, threat modelling, source code analysis and pen testing as a combination."
2. Train your staff in software security
Sometimes, even after investing in software protection tools, companies report issues that don’t make sense. As a former developer, Abasi notes that one reason could be a lack of training. “It’s really important for organizations to, at least once a year, have their staff go through some security development training and be aware of the low-hanging fruit.” In fact, there’s an 80/20 formula: 80 percent of such security risks are preventable mistakes, according to Abasi. “When we started doing annual training, those issues started to go away. And what remains of the 20 percent more difficult problems, there are specialists that you can bring in to help you adjust them.”
3. Meet Level 1 of OWASP’s ASVS
What’s with all the acronyms? Glad you asked. The Open Web Application Security Project’s Application Security Verification Standards make it easy for businesses to understand security verification in three stages, with Level 1 being the base requirement for all software and Level 3 the most in-depth protection for major applications. Forward Security recommends ensuring that all corporate apps using the internet at least meet Level 1 of ASVS.
4. Assess risk and impact
What does software do? It provides access to important information. Abasi breaks data threats down into three categories: “risks related to confidentiality of that data, the integrity of that data and the availability of that data.” Business impact assessments can help companies know the risks to their assets and prepare accordingly.
“Risk is a factor of how much impact occurs when the bad stuff happens and what the probability of the bad stuff happening is,” Abasi says. “By doing it systematically—identifying the assets, where they’re stored, what the impact would be if they were compromised or modified, and then the likelihood of that compromise happening—you’ll have a pretty good idea of the risk and where to focus your efforts.”
5. Review the Government of Canada’s Baseline Cyber Security Controls for Small and Medium Organizations
Comparing your company’s standards with the federal guidelines will help identify the weak spots in your cybersecurity. That way, you can take steps to reduce risk. To target risks associated with employees working from home, Abasi argues, there should be regulations to ensure that corporate data is safe.
“It’s important to install various software on that employee’s machine—for example, threat detection, endpoint protection, anti-malware,” he adds. “But employees should not have to pay for that; the company should be providing that software for the employees to [equip] their machines and then monitoring it so if something does happen on that employee’s machine, at least there’s software provided by the company that detects that.”