<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=4958233&amp;fmt=gif">
 
RSS Feed

Architecture | Eoin Woods |
12 July 2019

At Endava we take security seriously in all of our projects, so seriously in fact that we have a specific approach to developing software that we call "Secure Development", in which we add additional activities and steps (such as threat modelling and vulnerability scanning) to our normal software lifecycle activities. This is often in conjunction with a DevOps approach to delivery, integrating security activity into the cross-functional team, resulting in so-called “DevSecOps”. Of course, this requires more effort and a bit more budget, in the same way that delivering additional features would.

It has become apparent that it is more common than not to sacrifice secure development to save costs. It turns out this week that a well-known FTSE 100 company (who are not an Endava client) discovered just how expensive the alternative can be, highlighting the need to prioritise security in your systems development and operation. In mid-2018, they were hit by a cyberattack which compromised customer data including names, addresses, log-in, payment card and travel booking details. A year later, the UK Information Commissioner's Office (ICO) announced that the business had failed to protect the fundamental privacy rights of its customers and issued a notice of intention to impose a significant fine on the company under the provisions of the GDPR regulations.

And it's not just this FTSE 100 company that may be feeling the consequences of inadequate cybersecurity measures. A well-known Fortune 500 company may also be facing a fine, after a cyberattack in 2014, when hackers stole the records of several hundred million customers. In this case, the ICO has also communicated its intention to issue a hefty fine against the group for GDPR related infringements.

While cybercrime may be virtual, the threat is very real, and it requires the same level of consideration (if not more) than physical security does. Cyberattacks are a crime, just like burglary, but you wouldn’t avoid fitting an alarm and locking the door in the hopes that your property will remain safe simply because the law is on your side. The same thinking needs to apply to cybersecurity. Businesses need to take sensible precautions while developing and operating software to make it as difficult as possible for cybercriminals to mount an attack against them.

These cases illustrate how regulators are finally taking cybersecurity incidents seriously and will levy fines which are not just a rounding error in the company's accounts, which can be dismissed as a "cost of doing business". And this is exactly how it should be.

Cybercrime is not going to go away, in fact, Juniper Research predict that ‘cybersecurity breaches will result in over 146 Billion records being stolen by 2023’. The same report states that ‘the number of records breached to nearly triple over the next 5 years, while cybersecurity spend will only increase by an average of 9% per company per annum’. For those businesses who are already focused heavily on security, perhaps that increase will be enough, but for the rest who have been skipping these vital steps to save money, that level of investment probably won’t be enough.

Beyond the fines, the cost of a cyberattack is far-reaching. In a Ponemon Institute study from 2018, it was identified that the ‘cost of the average data breach to companies worldwide amounted to US$3.86 million’ and ‘the average time it takes to identify a data breach is 196 days’. Once you have lost the trust of your customers, it can take years to get it back.

Organisations have a duty of care to their customers, to take reasonable precautions to keep their personal details safe from cyberattacks. Developing software with a serious focus on security is an important part of this process. And suddenly the new regulatory environment makes it look much better value for money!

Tags

Eoin Woods

Chief Engineer

Eoin provides technical strategy advice to our major clients and works with our delivery organisation to ensure that the right people, tools, technologies, and processes are in place. Outside work, he is an enthusiastic amateur trumpet player, dwelling in a wide range of styles including wind band, brass band, big band jazz and classical. He also likes anything with an engine that can move quickly, particularly Alfa Romeo, Audi and Jaguar road cars and saloon car, Formula-E and Formula 1 racing.

Categories
 

All Categories
 

From This Author

  • 14 November 2022

    Can Software Really Be Green

 

Archive

  • 13 November 2023

    Delving Deeper Into Generative AI: Unlocking Benefits and Opportunities

  • 07 November 2023

    Retrieval Augmented Generation: Combining LLMs, Task-chaining and Vector Databases

  • 19 September 2023

    The Rise of Vector Databases

  • 27 July 2023

    Large Language Models Automating the Enterprise – Part 2

  • 20 July 2023

    Large Language Models Automating the Enterprise – Part 1

  • 11 July 2023

    Boost Your Game’s Success with Tools – Part 2

  • 04 July 2023

    Boost Your Game’s Success with Tools – Part 1

  • 01 June 2023

    Challenges for Adopting AI Systems in Software Development

  • 07 March 2023

    Will AI Transform Even The Most Creative Professions?

  • 14 February 2023

    Generative AI: Technology of Tomorrow, Today

  • 25 January 2023

    The Joy and Challenge of being a Video Game Tester

  • 14 November 2022

    Can Software Really Be Green

  • 26 July 2022

    Is Data Mesh Going to Replace Centralised Repositories?

  • 09 June 2022

    A Spatial Analysis of the Covid-19 Infection and Its Determinants

  • 17 May 2022

    An R&D Project on AI in 3D Asset Creation for Games

  • 07 February 2022

    Using Two Cloud Vendors Side by Side – a Survey of Cost and Effort

  • 25 January 2022

    Scalable Microservices Architecture with .NET Made Easy – a Tutorial

  • 04 January 2022

    Create Production-Ready, Automated Deliverables Using a Build Pipeline for Games – Part 2

  • 23 November 2021

    How User Experience Design is Increasing ROI

  • 16 November 2021

    Create Production-Ready, Automated Deliverables Using a Build Pipeline for Games – Part 1

  • 19 October 2021

    A Basic Setup for Mass-Testing a Multiplayer Online Board Game

  • 24 August 2021

    EHR to HL7 FHIR Integration: The Software Developer’s Guide – Part 3

  • 20 July 2021

    EHR to HL7 FHIR Integration: The Software Developer’s Guide – Part 2

  • 29 June 2021

    EHR to HL7 FHIR Integration: The Software Developer’s Guide – Part 1

  • 08 June 2021

    Elasticsearch and Apache Lucene: Fundamentals Behind the Relevance Score

  • 27 May 2021

    Endava at NASA’s 2020 Space Apps Challenge

  • 27 January 2021

    Following the Patterns – The Rise of Neo4j and Graph Databases

  • 12 January 2021

    Data is Everything

  • 05 January 2021

    Distributed Agile – Closing the Gap Between the Product Owner and the Team – Part 3

  • 02 December 2020

    8 Tips for Sharing Technical Knowledge – Part 2

  • 12 November 2020

    8 Tips for Sharing Technical Knowledge – Part 1

  • 30 October 2020

    API Management

  • 22 September 2020

    Distributed Agile – Closing the Gap Between the Product Owner and the Team – Part 2

  • 25 August 2020

    Cloud Maturity Level: IaaS vs PaaS and SaaS – Part 2

  • 18 August 2020

    Cloud Maturity Level: IaaS vs PaaS and SaaS – Part 1

  • 08 July 2020

    A Virtual Hackathon Together with Microsoft

  • 30 June 2020

    Distributed safe PI planning

  • 09 June 2020

    The Twisted Concept of Securing Kubernetes Clusters – Part 2

  • 15 May 2020

    Performance and security testing shifting left

  • 30 April 2020

    AR & ML deployment in the wild – a story about friendly animals

  • 16 April 2020

    Cucumber: Automation Framework or Collaboration Tool?

  • 25 February 2020

    Challenges in creating relevant test data without using personally identifiable information

  • 04 January 2020

    Service Meshes – from Kubernetes service management to universal compute fabric

  • 10 December 2019

    AWS Serverless with Terraform – Best Practices

  • 05 November 2019

    The Twisted Concept of Securing Kubernetes Clusters

  • 01 October 2019

    Cognitive Computing Using Cloud-Based Resources II

  • 17 September 2019

    Cognitive Computing Using Cloud-Based Resources

  • 03 September 2019

    Creating A Visual Culture

  • 20 August 2019

    Extracting Data from Images in Presentations

  • 06 August 2019

    Evaluating the current testing trends

  • 23 July 2019

    11 Things I wish I knew before working with Terraform – part 2

  • 12 July 2019

    The Rising Cost of Poor Software Security

  • 09 July 2019

    Developing your Product Owner mindset

  • 25 June 2019

    11 Things I wish I knew before working with Terraform – part 1

  • 30 May 2019

    Microservices and Serverless Computing

  • 14 May 2019

    Edge Services

  • 30 April 2019

    Kubernetes Design Principles Part 1

  • 09 April 2019

    Keeping Up With The Norm In An Era Of Software Defined Everything

  • 25 February 2019

    Infrastructure as Code with Terraform

  • 11 February 2019

    Distributed Agile – Closing the Gap Between the Product Owner and the Team

  • 28 January 2019

    Internet Scale Architecture

OLDER POSTS