It’s an unpleasant truth: Somewhere in the world, every few days, a new data scandal comes to light. Recently it was revealed that hackers were able to view millions of airline customer data files, including credit card numbers. Another example is an armaments company, confronted with a data leak: internal documents circulated on the Internet. Austrian authorities made headlines because confidential data of citizens was accessible on unprotected servers. Since the GDPR came into force, companies based in the EU have reported around 160,000 data leaks – in 2019, there were even more incidents than in the previous year. Such data breaches not only undermine the trust of customers and the public, there is also a threat of high fines and claims for damages.

The more complex a company’s IT landscape is, the greater the concern about neglecting security-critical aspects. In our experience, it is common practice to add new infrastructure, hardware and programs to existing systems – dealing with security gaps afterwards. For example, due to anti-pandemic measures companies quickly switched to remote work and set up numerous remote access points. In many cases, the systems were encrypted and the general security level was increased later on. The risk of reacting too late or overlooking something was comparatively high.

From an expert’s point of view, Security by design is a better strategy to protect companies from attackers and data loss. Here is a selection of criteria applying to the main IT segments:

Software

• Simplicity: Software should only cover as many functions as necessary. The more universal it is, the greater its area of attack.
• Transparency: If a larger number of people check a program, it is more likely that errors will be noticed (Linus’s Law). Developers should therefore share code as early and widely as possible and invite security specialists to test the programming for vulnerabilities. Security is one of the reasons why companies are already using open source solutions more frequently than proprietary software for certain applications, for example for desktop browsing and web servers.
• Minimum rights: Standard users are only given the most necessary authorizations in all systems. Administrators can release additional functions via opt-in. This means that criminals who hack an arbitrary employee account won’t get very far.

Hardware

• Upgrading: The constant emergence of new security gaps in standard processors confronts companies with the question of whether they should fall back on alternative, specially encrypted and generally more expensive alternatives for sensitive work areas.
• Authentication: For sensitive services such as online banking, two-factor authentication is already standard practice, and it can also make sense for company systems. This requires appropriate hardware, such as access tokens or fingerprint scanners.

Network

• Segmentation: Companies do well in distinguishing between more or less business-critical and confidential areas, securing them accordingly. For example, a so-called demilitarized zone (DMZ) can be set up for web customer services, which is technically isolated from the internal network and thus makes unauthorized access more difficult.
• Monitoring: Control systems that detect or ward off attackers (intrusion detection/prevention systems), prevent data loss (DLP) and monitor database activity (DAM) are indispensable.

As already mentioned, this is just a selection of criteria that are relevant for security by design. Some, but not all, require higher investments from companies. Even if secure design may be more expensive at first, it will pay off over the years. Which priority should a company set? This is a complex question, requiring analyses that usually lead to larger projects. Therefore, many companies postpone the issue. In practice, we have often experienced that decision-makers don’t react before problems arise. In view of growing risks, more companies should move to precautionary measures and start a top to bottom change of their IT security practice.

Learn more about our cyber security consulting services here.