“Personal data: If you can’t protect it, don’t collect it”
Data leaks and the privacy commotion surrounding Facebook highlight how risky it is for companies to develop their own data collection software. “Building your own software creates technical debt”, warns Rob van der Veer, principal consultant at Software Improvement Group (SIG). “With heightened privacy legislation, data is no longer ‘the new gold’, but is rather becoming ‘radioactive gold’. Assume that you will eventually be hacked and limit the damage in advance.”
If you are unable to secure personal data, don’t gather it. More importantly, do not create any software if you are unable to maintain it in the long run, and keep software free of vulnerabilities. With this advice, Van der Veer, employed by IT consultancy firm SIG, aims to create secure, future-proof organisations in the coming years. “Security incidents and data leaks will continue to occur with greater frequency”, he predicts. “This is a given for businesses and other organisations, and it means two things.”
Firstly: maintain modest digital ambitions. Create less of your own software and limit data storage to reduce your risk level. Secondly: if you develop software, invest in sound embedded security and privacy. Take a look ‘under the hood’ with more frequency and scrutiny; inspect your software’s source code for vulnerabilities and privacy errors regularly, and at an earlier stage of the development process.
Being reserved in the development of your own software tools that are used to gather clients’ personal information is what Van der Veer refers to as ‘digital modesty’. “The realisation that such software applications increase an organisation’s vulnerability is increasing. Self-developed software applications don’t always align with the risks that they create.
Data has long been considered ‘the new gold’. Businesses were eager to make the most out of these new developments and fully profit from personal data. However, new privacy legislation, such as the General Data Protection Regulation (GDPR), makes it clear that this gold must be considered as ‘radioactive’.
If an organisation should suffer from a data leak in which the security of clients’ information is compromised, the business will now be held accountable. As a result, organisations are limited in what they can do with data; this benefits the rights of the individual. Should things go wrong, businesses will feel the added sting of hefty fines in addition to the resulting reputational damage.”
Van der Veer has already noted, for example, that businesses are no longer developing their own apps, but rather rely upon a ‘mere’ mobile version of the corporate website. “I see this as a sensible trade-off. Building software creates liability; software requires continuous maintenance. The ‘we’ll cross that bridge when we come to it’ attitude is slowly subsiding. A growing number of organisations are aware of the future issues to which they expose themselves with overenthusiastic software development.”
It is better to take a look at the trusted existing software and best practices on the market, says Van der Veer. “Businesses can reuse the software developed by their peers. A transport company in Tokyo, for example, has a system that a Dutch transport company can readily employ. Build upon existing technologies and do so with plenty of attention to the selection and updates of your chosen product. First and foremost, however: look before you leap. Developing your own software is a business case with a long tail.”
Under the hood
SIG’s second piece of advice is for organisations who still choose to develop their own software: pay more attention to embedding security and privacy into these systems. “It’s all about the quality of the software product under the hood”, explains Van der Veer.
“Whether the security and privacy are embedded thoroughly and effectively can be determined by simply inspecting the software’s source code.”
Much legacy originates from a time wherein organisations paid little attention to security. “Let alone to privacy”, emphasises Van der Veer. “SIG is a rapidly growing company, and for a good reason. We see and understand that organisations want to improve and truly embed security, even retroactively. If given a choice, it is better to incorporate security from the get-go, rather than to add it at a later stage. Subsequent penetration tests often come too late or are superficial. Alternately, businesses sometimes rely on tools that should automatically scan their systems, but these often only uncover half of the issues.”
To ensure correct source code for both new and existing software, most organisations choose what Van der Veer refers to as a ‘babysitting model’. “An external security expert must provide developers with active guidance. Preferably one expert per team. Problem: developers are not motivated to arrange this, and there are only a few babysitters in the market with all of the required in-house knowledge and expertise. This is where we come in.
SIG offers something of an A-team that can be mobilised anywhere. We have a team of 115 experts who collectively support more than two hundred programming languages. We can engage these experts as flyby coaches per situation, resulting in a highly efficient and cost-effective solution.”
Lastly: organisations are better off assuming that, sooner or later, they will be hacked. “An organisation is, however, free to determine the damage and repercussions”, Van der Veer reassures us. “Ensure that hackers can’t get far, that you can rapidly identify an attack, and that the reward for hackers is limited. Ensure source code quality and carefully consider which data you will gather.
The issue with this isn’t only the lack of expertise; the standards defining secure software are far from straightforward. There is fragmentation; though, even in this, SIG is able to assist companies. We have devised a framework, based on ISO 25010, in which various standards can be fitted. Such coordination makes the implementation of the correct standard situationally applicable.”
Nonetheless, Rob van der Veer does encounter sound solutions which enable organisations to draw value from personal data without jeopardising privacy. “Take, for example, the use of pseudonyms whereby an individual’s information is linked to a code or key which cannot be traced back to the individuals themselves. Likewise, if you want to monitor the number of unique visitors to your website but gather only the hashes of their IP addresses to do so.
Remember: the increasing attention to privacy also offers opportunities. Businesses with sound security and privacy policies in place gain a growing advantage in terms of trust.”
This article was also published on Dutch IT-channel