Application Security in Medium to Large Businesses
The last thing you want to read when you log on to a computer or mobile device is that your company was hacked via the back-door.
Yet this is how attackers are now infiltrating networks – via applications, and with it, moving the need for stringent application security measures to the front of the queue.
We were reading an interesting story on Forbes.com concerning a cyber-security threat that affected millions of consumers. According to the report, the app involved in this attack was CCleaner, which is a software product that performs maintenance and file clean-ups.
CCleaner is operated by a subsidiary of the well-known anti-virus provider Avast.
The Effects of the CCleaner Attack
This might seem like a routine story, but the product has sold 2 billion downloads and proclaims to be receiving another 5 million downloads per week. If these numbers are real, then the threat is very serious.
The chief technology officer of Avast, Ondrej Vlcek, was quick to reassure consumers that they shouldn’t panic. He explained that the company’s security tool was used to scan the affected machines, and his company concluded that the cyber attackers did not issue the second phase of their cyber attack. He acknowledged the following: “2.27 million (instances of infection) is certainly a large number, so we’re not downplaying (that) in any way. It’s a serious incident. But based on all the knowledge, we don’t think there’s any reason for users to panic.”
Fortunately, the attackers appeared to have given up.
Getting Prepared for the Future
There are two takeaways from this for contemporary businesses. First, there must be careful attention paid to a company’s IT infrastructure to prevent backdoor cyber attacks within the applications that it maintains on its servers. This requires careful monitoring by the CTO of the company’s contracts with third-party software vendors.
Second, the design of business apps – whether digital or mobile – that companies develop for usage by their consumers and business partners must include techniques to prevent cyber attacks from embedding malware or viruses in them. For example, you could launch a new shopping app on which customers place orders for product delivery, but cyber attackers could embed the virus to steal their credit card information while they use your app.
What to Look For
Monitoring software contracts is a large undertaking for chief technology officers, but it is also an important element of their job description. When a company prepares to enter an agreement with a third-party vendor, there must be clear language about which company will be responsible for any cyber attacks.
The vendor has potential liability for its product’s usage and the client company has potential losses for the app’s effects on its customers and business partners.
Building Better Partnerships
One of the barriers to cybersecurity is when companies rush to acquire new infrastructure, whether it’s through software agreements and implementation of new hardware or the design of new systems for their exclusive use.
There is the mindset that a business must seize on an opportunity through automation without working its way through the process of adoption and implementation. We recommend that CTOs slow down this process just enough to safeguard their business interests, and with that, pay particular attention to the issue of application security.
In a larger organization such as Avast, there are so many products distributed over large networks that any real cyber attack could bring millions or billions in losses. While the potential loss exposures for your organization might be smaller, take the necessary time to build infrastructure and then prevent as many losses as you can.
This calls for a true risk management mindset. It means that you have to ensure that each layer of protections gets built into the stage of adopting a new piece of IT infrastructure.
Even with all of your built-in safeguards, sometimes cybercriminals still find your company’s points of vulnerability, and that’s why you have cybersecurity insurance.