‘Secure by Design’: why are so many businesses failing?

Ransomware, data breaches, phishing attacks, and most recently, ‘cryptojacking’…barely a week goes by without yet another example of a security breach hitting news headlines. While most businesses are aware that operating in an online environment puts them at automatic risk of a cyber-attack, many are still failing when it comes to basic security hygiene – particularly when it comes to the planning and implementation of new IT systems.

While common sense would dictate that security vulnerabilities are more expensive and time-consuming to fix after the fact, project teams still tend to overlook (or completely cast aside) security until much later in the design process. Not only does this put the project itself at risk (think missed deadlines and added cost), but an unsecure system can also result in significant financial or reputational risk to the entire business.

The reason why businesses – or more specifically, project teams – continue to take such a relaxed approach to security is something that continues to baffle security experts. With Australia’s new data breach reporting laws having come into play last month, it’s more important than ever that Australian businesses take a more considered approach to the security of IT systems. 

In reality, businesses should take a ‘Secure by Design’ approach not only to reduce the likelihood of projects running into unexpected cost but also avoid exposing the business to unnecessary risk. 

Security often ‘tacked on’

It’s true that the security aspect of any new IT system probably isn’t going to be the thing that gets the project team excited. Security relies heavily on people and process – and everyone is likely to be focused on designing and building the incredible technology and all the things it can do. Unfortunately, it’s precisely this sort of short-term thinking that leaves vulnerabilities in your IT that can be easily exploited by cybercriminals.

One example of this in action is the recent hack of an Australian defence contractor, which saw information about Australia’s Joint Strike Fighter program and additional military hardware stolen. However, despite the constant barrage of highly public security compromises, and the significant financial and reputational impact they have, the level of maturity and awareness relating to business risk and information security is mixed at best. Government does tend to be somewhat ahead of the game, however much of the private market is immature with a tendency to rush into delivering the functionality desired by the business.

Unfortunately, for many businesses it often takes a negative experience to put the topic of information security on the agenda. Aura’s team is regularly called upon at the last minute to help remediate security vulnerabilities that could have easily been fixed much earlier in the project.

Why be ‘Secure by Design’?

A ‘Secure by Design’ approach allows businesses to identify security risk in the early stages, and remediate vulnerabilities when it is most cost and time effective. Essentially, ‘Secure by Design’ is about proactively managing your information security risk throughout the project, which in turn enables you to deliver a secure outcome to your business.

Think of it this way: Imagine trying to retrofit seatbelts, airbags, and crumple zones to the design of your car – sounds hard, doesn’t it? When you buy a car, you sort of expect that the manufacturer has considered all of those safety features before they started thinking about performance and aesthetics. The same should apply when implementing a new IT system.

The security lifecycle

Whenever you implement something new, or make a significant change, you run the risk of introducing security vulnerabilities. ‘Secure by Design’ aims to give businesses’ visibility of these risks as early as possible, so they can manage them most effectively.

‘Secure by Design’ should start around the whiteboard at the project kick-off meeting, when you are discussing solution requirements and desired business outcomes. By doing this you can not only ensure you are making good security design decisions, but also be assured that you are  building your IT in a secure way. Essentially, if you’ve done it right then the security testing phase shouldn’t uncover any security show stoppers that you didn’t already know about.

It’s worth noting that being ‘Secure by Design’ isn’t just a one-off. Security does not simply drop off the ‘to-do’ list as soon as a project is complete, it falls into a security lifecycle. IT systems are not static – they get designed, built, tested and deployed. They get modified and patched, and they have an operational life. All IT systems have an inherent risk that needs to be managed as part of business as usual – with monthly reporting, regular penetration testing and routine scrutiny for any changes to the risk profile.

At Aura, being ‘Secure by Design’ is considered a four-phase process:

• The ‘Design’ phase: where potential security risks are identified by software and infrastructure security architects.
• The ‘Build’ phase: in which our consultants help you check that you are building your systems in a secure way.
• The ‘Test’ Phase: the team carries out an end-to-end penetration test to ensure any remaining security flaws are remediated and you have full visibility.
• The ’Operate’ or business as usual phase: where ongoing analysis, reporting and security optimisation occurs for the duration of the system’s operating life.

You’re only as strong as your weakest link

For the most part, project owners can plan ahead, troubleshoot and assign roles to ensure things stay on track. However, without addressing the need for security early in the project, businesses are missing a glaringly obvious barrier to project success. If you don’t have visibility of the information security risk you are introducing then you are potentially leaving your business’ crown jewels on a silver platter for cybercriminals.

And finally – remember, it’s better to discover any security vulnerabilities before the hackers do.