Organizations need to plan better for inevitable application security failure
In the cybersecurity world, there is nothing quite as painful as a data breach involving a high-profile application that everyone knows about. Case in point is the Small Business Administration (SBA), which just revealed the exposure of the personal information of 7,913 individuals who applied for emergency relief loans to retain employees during the economic downturn brought on by the COVID-19 pandemic.
The bug in the application created by the SBA has since been fixed. However, everyone associated with that project is dealing with the ramifications. Beyond the need to make credit tracking services available for free for a year, the SBA is navigating yet another public relations disaster involving its loan programs. This one, however, reaches all the way into the IT department.
A survey published this week by Kaspersky illustrates how disruptive data breaches really are. The report finds 30 percent of employees who are involved in the aftermath of an incident missed an important personal event, had to work over night (32%), or suffered additional stressors (33%). A quarter of respondents had to cancel vacations (27%). No matter the extent of the breach, there is plenty of stress to go around, especially when so many employees are working from home. Launching a new application in that environment requires a lot of courage.
Preparing for the worst
The truth of the matter is that organizations should assume there is going to be some sort of cybersecurity issue any time an application is rolled out. Applications have become more complex, while the IT infrastructure in the on-premises IT environments on which they are deployed is often archaic. Public clouds, of course, make modern IT infrastructure easily accessible, but the odds are good an application will be misconfigured in the cloud.
Most organizations would be well advised to have a security incident management playbook for rolling out a new application to fall back on to reduce organizational stress. As well-intentioned as everyone in IT might be, not every aspect of an application release is predictable. There is almost always some nuance of a production environment that the people testing the application were not able to precisely replicate that can have unforeseen consequences.
Of course, the best course of action is to roll out an application in phases whenever possible. The trouble is most application development projects fall behind schedule. Naturally, one of the first things to get the short shrift is testing, especially when it comes to potential security issues. Most developers figure they can catch up on any bugs that might make into the final release within a few days of deployment. Murphy’s Law, however, dictates one of those bugs is likely to create a catastrophic security incident. The more pressing the deadline, the more probable it is some critical aspect of the project will be overlooked or disregarded.
There is never going to be perfect security no matter how much anyone tries. Rather than deny something everyone already intrinsically knows; prepare for the worst while continuing to hope for the best.