Application Security which is sometimes shortened to ‘AppSec’ – is an increasingly important Cybersecurity field, especially considering the growing variety and number of online buying and selling activities and platforms.
These different ecommerce activities may be carried out on websites, through online games, apps or via smart home devices. Application Security encompasses all the security (and compliance) Processes, Roles (people) and Tools/Technologies that are used to ensure that ecommerce activities of all types and on all platforms are secure.
For organisations to meet their strategic Application Security requirements, it is essential to apply a set of smart and relevant guiding principles one of which involves Making Security Everybody’s Business.
The Essential Link
The widely accepted belief that end users are the weakest link in every security chain is a rather unhelpful approach to Cybersecurity.
A much better approach is to make use of different routes to inform, empower and engage users in any security strategy. It is essential to make the users aware of the crucial role and responsibility even they have for ensuring that their organisation builds and maintains a strengthened security chain. It is important to include a well-planned Security Awareness Programme in any Cybersecurity roadmap with one of the core goals of the programme being to make it clear to all end users (or employees, as the case may be) that they are indeed a link on which the organisation relies on in several areas to achieve a strong security posture.
Realistically, end users typically are the first line of defence. They are also the most exposed part of a company’s defence structure because they engage within the organisation as well as outside it. Within the organisation, they may be subject to strict rules which are enforced during work hours and in work environments. However, outside of these settings, end users, in most cases, operate under fewer technology restrictions such as activity monitoring, data collection, analytics and alerts.
This is especially true in organisations which do not have a mature Bring Your own Device (BYOD) strategy and Data Monitoring and Management processes that are being maintained. End users can be manipulated into divulging sensitive company information. Outside of any company-managed monitoring controls and restrictions, these attacks are more likely to be successful and this can be damaging to an organisation’s security posture and overall business.
Manipulating an employee into exfiltrating data from an organisation and risking GDPR compliance infractions can be carried out using Social Engineering attacks. These attacks do not require complex security tools and methodologies. In the same vein, preventing these types of attacks does not require complex security tools and methodologies. Note that the goal here is to prevent these attacks. Prevention is important and precedes monitoring e.g. for data exfiltration -, identifying and eventually stopping the attacks assuming they are successfully discovered.
Within an organisation:
- Security may not be everyone’s profession or area of expertise;
- Security may not be identified as a sub-requirement in everyone’s job description;
- The word “security” may not appear anywhere in some or all of the job adverts that the organisation places.
But security has to be everybody’s business and making security everybody’s business can be achieved through the following approaches, among others:
Signposting: This involves placing informational materials and posters at strategic points around office spaces. For example, to support developers, a company can choose to place the OWASP Top 10 Controls on a large, clear poster in the code development teams’ office area. For HR it can be a poster highlighting the best ways to avoid falling victim to social engineering attacks. For senior management it can be a desk mat that provides short, sharp reminders about how to avoid falling victim to spear-phishing and whaling. These items are useful and invaluable for informing and reinforcing a company’s Cybersecurity message and they are a good way to positively influence a company’s Cybersecurity culture.
Security Portal: Creating and maintaining an online security portal that is readily accessible to employees is an important way of increasing user security awareness within an organisation. This portal can be used to hold resources including an organisation’s Acceptable Use (AUP) and Information Security Policies (ISP), its Incident Response contact details and even some basic ‘guides’ such as how to recognise a ransomeware attack and what to do immediately one is observed.
Training: Providing role-specific security training to everyone across an entire organisation is also a key way to improve security awareness. The training should be targeted, interesting and based on relevant topics. For example, the Human Resources Team may not need to know about the need to encrypt data at rest using strong encryption but they do need to know that access to different assets should be managed based on roles and so, depending on the company structure, it may be their responsibility to ensure that the details of all employee roles, role requirements and responsibilities which they provide to other teams including the IT team is accurate.
Recruitment: Within job descriptions for non-security specific roles, it is essential to include hints at an organisation’s culture and respect for security. This makes it clear to prospective applicants for these non-security specific jobs that they will be expected to have an appreciation for security and even some awareness of fundamental security principles including the use of Multi-factor authentication, or the need to make use of only strong passwords among other principles. It is also important to make sure that security is not only highlighted before and as soon as an employee joins a company, but throughout their stay including if and when they move positions within their organisation.
Informal communications: These are discussions which are driven by individual security team members and can be held, for example, over a meal or in an office games area. These sessions can be used as a relaxed way of reinforcing security principles and improving an organisation’s security culture.
Security Champions: Champions are security enthusiasts/evangelists who may or may not have any security experience and/or qualifications but who are keen on Cybersecurity as a field. The key point of note is that security champions are not employees who work in Cybersecurity specifically, but they work as members of other non-security teams within an organisation. For instance, they may be part of the DevOps, Developers, Scrum Masters, Product Owners, Delivery drivers, Human Resources or the Finance team. They are a good channel through which central security teams can pass important messages and updates to other teams and influence the culture within those teams and, by extension, the organisation’s wider security culture. Champions are very helpful for ensuring that central Application Security policies and processes are applied within their own teams.
User Awareness, as a security Control, can and should be measured over time in order to identify any gaps in its implementation and to ensure improvements are made over time whenever required.
To learn more, please call Alastair Dickson on 020 3962 2206.