The software and technology (S&T) industry has been facing an increase in cyberattacks over recent years. These attacks impact organizations as well as customers. In order to help our S&T clients, Baker Tilly developed the following list of common issues affecting the S&T industry as a starting point toward improving your cybersecurity posture and readiness to respond to a cyberattack.
S&T organizations have to closely manage changes not only to their environment (infrastructure) but also to their software. Many do this through governance programs, including peer reviews, that enable a comprehensive view of the changes occurring within their environment. However, not all changes are managed equally. Leading practices suggest that a risk-based approach is best due to limited internal resources and time. Although, as environments have become more complex and more integrated, many organizations do not properly consider the upstream and downstream impacts of their changes. We have seen many real-world examples of small changes to minor services that have caused significant impacts to upstream services including affecting the availability of these services to customers. Change management activities need proper governance and when considering change-related risks, the organization should have both an upstream and downstream understanding of how the change could influence other services and customers.
No example stands out more than SolarWinds. Not understanding the third-party libraries or software in use and the changes to those third-party applications can cause detrimental harm to your internal services and to the services you provide to customers. Software is rarely built without third-party dependencies, but organizations tend to overlook the risk of utilizing code or services that they do not control. Risk management activities mostly focus on risk factors that an organization can control and can miss the underlying risks associated with using third-party developed solutions. Attackers have targeted these third-party solutions in recent years as a way to gain a foothold in a broader set of organizations. S&T organizations should inventory the third-party libraries and software used in their products or services, and regularly monitor and assess changes to those components to ensure a comprehensive view of risk is understood and can be managed appropriately.
Developers are taught best practices for the development of their code, however, even the most experienced developers can make mistakes that introduce vulnerabilities into an organization’s software or environment. Secure coding practices start with a continuous education program for developers to ensure they are aware of the security risks and top vulnerabilities associated with software development. Additionally, organizations should implement code scanning solutions to automatically scan newly developed code for security vulnerabilities. These tools utilize static code scanning and dynamic code scanning capabilities to provide a comprehensive view of how code is built and how it operates in real world scenarios. But just deployment and use of the tools is only a part of the process to minimize vulnerabilities in code, the other part comes down to the reporting, tracking and remediation efforts to fix the vulnerabilities identified in a consistent and expedient manner.
S&T organizations must manage their own internal security, while also providing customers with comfort that those security controls are operating effectively. These obligations can be driven through industry-based compliance requirements (e.g., HIPAA or PCI) or they can be driven through contractual agreements established with the customer (e.g., SOC reports). No matter where the obligations originate, organizations must develop internal controls and governance activities to properly manage these obligations on an ongoing basis. Many organizations establish their own internal compliance management programs that regularly test and review management and operational activities to ensure these compliance requirements are being met. Additionally, organizations should consider the use of internal governance, risk and compliance (GRC) solutions to enable more efficient compliance management activities that reduce overhead and increase the consistency of testing and reporting.
When providing a service that customers rely on for their business operations, business continuity (BC) and disaster recovery (DR) considerations should be a high priority. We all know the frustration we feel when a third-party service provider has an outage, and as that service provider, you should recognize the impact those outages have on your reputation and bottom line. S&T organizations should identify the various components associated with their services, and then systematically walkthrough potential scenarios that could affect the availability or integrity of those components. When taken independently, each component may not pose a high risk to the availability of your services, but the unavailability of multiple components could significantly impact your services and your customers. Business continuity activities focus on identifying the priority, risks and availability requirements of your business operations; disaster recovery activities focus on the solutions you implement to recover in the event a disaster occurs. Many organizations choose to assign a higher priority to customer-facing services, while allowing internal solutions longer recovery times to minimize the impact felt by customers.
For more information on this topic, or to learn how Baker Tilly specialists can help, please connect with a member of our team.