Thus far, we’ve spent much time examining the core principles of the GDPR and other pieces of data regulation. We’ve worked through some of the implications these documents carry for the UX and back-end functionality of consumer-facing applications. However, there are many other components to your business’s robust, secure data operation. Let’s look at the core principles of ensuring your hardware, software, and applications are securely spec’d to withstand attack. It’s no secret, threats to digital security are on the rise. The consequences of a data breaches are a PR nightmare of epic proportions (Hello Equifax). Start with the steps to get smart about your company’s infrastructure.
Encrypt On-Premise Storage Devices
Many businesses continue to use SSD’s and HDD’s as a backup storage solution. Data on these devices should get encrypted and password-protected in the first place. Doing so significantly reduces the risk that bad actors will access if a storage device is compromised.
Assess Network Security
The infrastructure hosting company communications are vital to your ability to do business. Each device is a potential security breach point to malicious outsiders. Your wireless router, your company phones, and your web servers. It’s easy to overlook these when you’re just starting your company. We strongly recommend that even small startups get serious about protecting their data. You can do this by conducting a network security assessment, identifying potential risks to your systems while working with partners on mitigation. It may seem like overkill. So remember, what you do now will save you in the future, especially where you’re a success and proliferate. You start becoming a higher target and risk increases. Getting your house in order now will safeguard you in the future.
Employ Due Diligence with Hosting Platforms, Third-Party Libraries, and Code
Online resources are a great way to develop solutions quickly. Hence, SaaS platforms have grown increasingly popular. Third-party libraries have also been an essential tool for letting development teams work efficiently. One should never assume any one of these resources is impervious to attack. Your organization must perform its due diligence on any modular solution it uses as part of its solution. Do your users, customers, and/or org report vulnerabilities? What are the ways to mitigate them?
At a minimum, cloud service providers should be complying with criteria such as:
- SOC 2 (SSAE16/ISAE 3402) – a report based on AICPA’s existing Trust Services principles and standards that evaluates an organization’s InfoSec, availability, processing, and confidentiality capabilities.
- ISO 27001 – This is one of the most widely recognized, internationally accepted independent security standards A framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.
- ISO 27018 – An international standard of practice for the protection of personally identifiable information (PII) in public cloud services.
- PCI-DSS – If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI compliant provider.
- Privacy Shield – Privacy Shield Frameworks are designed to provide a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States.
- FedRAMP – The Federal Risk and Authorization Management Program is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
In some cases, it can be the right business decision to forsake the security features included with a given hosting platform to build your own. If your company is handling financial data, we recommend building your code from scratch. Additionally, using a five-level encryption process to ensure no one can read the data even if stolen during transfer.
SSL Your Site
Lastly, on the point of data transfer, it is increasingly a non-negotiable for business conducting any online commerce to invest in an SSL certificate. An SSL Cert, in the words of the makers themselves, “is used to keep sensitive information sent across the Internet encrypted so that only the intended recipient can access it.” If you’re in development, you understand the many waypoints a piece of data travels through in its transmission; encryption is vital. Furthermore, SSL Certs provide authentication that lets users know they “are sending information to the correct server and not an imposter.” Do they know the technical implications of what this means? Unlikely. However, do they get nervous when their browser bar flashes red and warns them that the site may not be trustworthy? The bounce rate from this alone is enough to justify SSL investment for almost any business.