No matter your industry, you rely on a network of third parties to manage various aspects of your business. Along with services like cloud storage, website hosting, and network management comes the inherent risk of sharing sensitive data. We place trust in these vendors by default, and it’s easy to treat security like an afterthought — something we entrust to yet another third party.
By implementing Secure by Design (SbD) practices, you accept a collaborative relationship with software providers alongside common sense and a healthy dose of caution.
When hackers exploited a backdoor in SolarWinds software in 2020, it took months before anyone noticed that the software-supply-chain hack compromised thousands of networks. The Department of Justice, one of the more notable victims, identified suspicious activity on their server in May 2020, according to Wired, but the issue remained unresolved months later.
According to the article, several government entities were impacted by the breach, including the “US Department of Defense, Department of Homeland Security, and the Treasury Department, as well as top tech and security firms, including Intel, Cisco, and Palo Alto Networks.” The incident highlighted a need for critical changes in security practices for software developers, businesses, and consumers alike.
Rather than responding to security threats as they arise, you can apply SbD principles to better protect your business with proactive steps. Follow basic security principles strictly, for a start, and be prepared to educate yourself. Understand the responsibilities of developers so you can make informed decisions about who you partner with.
Refresh your staff’s knowledge about cybersecurity best practices with a cybersecurity awareness training.
Make multifactor authentication (MFA) the default for your team.
Require regular password updates and complex passwords that include numbers and special characters.
Only store necessary consumer data, and review your data retention policy.
Build a network of reliable and secure software products and providers to work with.
Review your software systems, firewall, and website for updates (along with any plug-ins and extensions). Vulnerabilities from aging and outdated systems are a common culprit for data loss. Look for and remove any integrations or plugins that are no longer relevant. This will help reduce the number of parties that have access to your data.
Don’t automatically trust third parties. If a company is making claims about their security, make sure these claims can be/have been verified independently.
The Cybersecurity and Infrastructure Security Agency (CISA) has released updated SbD guidance for software developers and the companies who rely on them. This is a great place to start educating yourself about steps third-party vendors should be taking to safeguard vital data.
According to the document, “Companies buying software should ask hard questions of their vendors, drawing inspiration from the examples of adhering to the principles listed in this document. In doing so, customers can help to shift the market towards products that are more secure by design.” Whenever possible, choose software with collaborative security features for better detection and mitigation of threats.
Protect your applications from being hijacked by implementing strict practices for input validation and sanitization. SQL injection is a method hackers use to bypass credential authentication and access your systems without permission.
In Medium’s Comprehensive Guide to Secure Input Validation and Sanitization in SQL Queries, they describe both pieces of this process succinctly. “Input validation ensures that user inputs conform to expected formats. Sanitization, on the other hand, is like a protective filter that cleanses inputs by removing or neutralizing malicious characters.” This guide is a great, digestible resource even if code is a foreign language to you.
Security threats are always evolving, so you can’t afford to be complacent about changes in the digital ecosystem. Consider subscribing to trustworthy cybersecurity newsletters, blogs, and forums to keep tabs on emerging threats and prepare accordingly.
If you don’t have one already, take time to put together a robust cybersecurity plan to keep your organization prepared in the long term.