The information technology sector is one of the world’s fastest growing industries. In fact, the rate at which software and software products are evolving is many times greater when compared to the rate at which software security is evolving. In an age of cybercrime, some of the most widespread cyber-based crimes include:
Cybercrimes such as these are only the tip of the iceberg when discussing the need for firms to implement a software security initiative (SSI). However, the need for organizations to put an SSI in place extends far beyond software developers. Government organizations, financial institutions, healthcare providers, and insurance companies are just a few examples of the types of entities who are taking security seriously. They’re doing so by ensuring that they have a strong software security program in place.
Does your firm have one?
Countless security breaches take place daily. Looking at the news today, the Equifax breach is the attack of the moment.
Let’s look at another, slightly older example to understand the business impact. Let’s say that a leading health insurance company, based in the United States, maintains sensitive personally identifiable information (PII) for over 80 million people. The type of information they keep on file includes social security number, customer name, address, date of birth, spouse/family information, salary, etc. The company also has a decades-old trustworthy reputation.
Now, let’s say that a threat actor in another country has an interest in hacking the insurance company’s database to create chaos. I mean, when 80 million people have their information put on display for any and all (keep in mind that that is around 25% of the U.S. population), that will no doubt create chaos!
The threat actor offers a large sum of money for an internal insurance company employee to gain access through the firewall and network layers allowing the hacker(s) to then finish the job. And there you have it—a massive identity compromise. But, wait, the fun doesn’t end there.
Reputation. The media will assess, uncover, and publicize every detail of the breach. The hacked firm will then become a pariah—having allowed such a horrible thing to happen to unsuspecting citizens (at least, that’s how they’ll be portrayed).
Legal. Many customers will likely sue the insurance company. And, before you can bat an eye, that trustworthy reputation that the firm has worked so hard to build and maintain will sink faster than the titanic.
Financial loss. Customers—in this case referring to employers offering the breached firm’s health insurance coverage to their employees—will scramble. They’ll likely withdraw from the breached company’s services. Potential customers will back out and abandon the tarnished company’s offerings and shift to a competitor’s services. You can also kiss the revenue coming in from long-time customers goodbye. The government will then mandate the company to provide identity monitoring services for 80 million people—free of charge to them. That, in turn, is a tremendous financial burden for the breached firm.
Additional fallout. If you can believe it, things still get worse. Stock prices plummet. No new business opportunities are on the horizon. The long-term reputation and revenue will suffer. The firm may even decide to close their doors for good. Only time will tell.
Having just gone through the trauma and drama of this example, let’s re-visit our original question: Why do companies need a software security program?
Sure, your company has an established reputation of trust. It has strong values, strong prospects, and is consistently hitting revenue goals year over year. Things are looking really good. However, all this means nothing if your firm isn’t taking software security seriously. One breach is all it takes to ruin it all. And breaches happen—every single day.
It’s imperative that companies evaluate their business to identify software security needs, strategy, and weaknesses. Establish a security policy to safeguard your computer networks, software systems, and databases.
Developers take quality, performance, scalability, and maintainability into account when designing and developing software from the very beginning. Firms must also promote software security awareness to the developers. It must be an integral part of development. And, once in production, firms must establish an SSI program to ensure it remains secure, top-quality, high-performing, scalable, and maintainable for their customers and the future of the entire organization.
Pruthvi Nallapareddy is a security consultant at Synopsys. She specializes in software security program development.