At Endava we take security seriously in all of our projects, so seriously in fact that we have a specific approach to developing software that we call "Secure Development", in which we add additional activities and steps (such as threat modelling and vulnerability scanning) to our normal software lifecycle activities. This is often in conjunction with a DevOps approach to delivery, integrating security activity into the cross-functional team, resulting in so-called “DevSecOps”. Of course, this requires more effort and a bit more budget, in the same way that delivering additional features would.
It has become apparent that it is more common than not to sacrifice secure development to save costs. It turns out this week that a well-known FTSE 100 company (who are not an Endava client) discovered just how expensive the alternative can be, highlighting the need to prioritise security in your systems development and operation. In mid-2018, they were hit by a cyberattack which compromised customer data including names, addresses, log-in, payment card and travel booking details. A year later, the UK Information Commissioner's Office (ICO) announced that the business had failed to protect the fundamental privacy rights of its customers and issued a notice of intention to impose a significant fine on the company under the provisions of the GDPR regulations.
And it's not just this FTSE 100 company that may be feeling the consequences of inadequate cybersecurity measures. A well-known Fortune 500 company may also be facing a fine, after a cyberattack in 2014, when hackers stole the records of several hundred million customers. In this case, the ICO has also communicated its intention to issue a hefty fine against the group for GDPR related infringements.
While cybercrime may be virtual, the threat is very real, and it requires the same level of consideration (if not more) than physical security does. Cyberattacks are a crime, just like burglary, but you wouldn’t avoid fitting an alarm and locking the door in the hopes that your property will remain safe simply because the law is on your side. The same thinking needs to apply to cybersecurity. Businesses need to take sensible precautions while developing and operating software to make it as difficult as possible for cybercriminals to mount an attack against them.
These cases illustrate how regulators are finally taking cybersecurity incidents seriously and will levy fines which are not just a rounding error in the company's accounts, which can be dismissed as a "cost of doing business". And this is exactly how it should be.
Cybercrime is not going to go away, in fact, Juniper Research predict that ‘cybersecurity breaches will result in over 146 Billion records being stolen by 2023’. The same report states that ‘the number of records breached to nearly triple over the next 5 years, while cybersecurity spend will only increase by an average of 9% per company per annum’. For those businesses who are already focused heavily on security, perhaps that increase will be enough, but for the rest who have been skipping these vital steps to save money, that level of investment probably won’t be enough.
Beyond the fines, the cost of a cyberattack is far-reaching. In a Ponemon Institute study from 2018, it was identified that the ‘cost of the average data breach to companies worldwide amounted to US$3.86 million’ and ‘the average time it takes to identify a data breach is 196 days’. Once you have lost the trust of your customers, it can take years to get it back.
Organisations have a duty of care to their customers, to take reasonable precautions to keep their personal details safe from cyberattacks. Developing software with a serious focus on security is an important part of this process. And suddenly the new regulatory environment makes it look much better value for money!
Chief EngineerEoin provides technical strategy advice to our major clients and works with our delivery organisation to ensure that the right people, tools, technologies, and processes are in place. Outside work, he is an enthusiastic amateur trumpet player, dwelling in a wide range of styles including wind band, brass band, big band jazz and classical. He also likes anything with an engine that can move quickly, particularly Alfa Romeo, Audi and Jaguar road cars and saloon car, Formula-E and Formula 1 racing.
07 February 2022
Using Two Cloud Vendors Side by Side – a Survey of Cost and Effort
25 January 2022
Scalable Microservices Architecture with .NET Made Easy – a Tutorial
24 August 2021
EHR to HL7 FHIR Integration: The Software Developer’s Guide – Part 3
20 July 2021
EHR to HL7 FHIR Integration: The Software Developer’s Guide – Part 2
29 June 2021
EHR to HL7 FHIR Integration: The Software Developer’s Guide – Part 1