PGI’s CTO, Keith Buzzard covers five areas that your organisation should consider when investing in new enterprise technology.
There was a time when procuring new software to streamline a process was fairly straightforward – identify a gap or problem, find a software solution, pay for it, install it (and maybe teach people how to use it).
But cyberattacks are on the rise and with every new piece of software or infrastructure installed, there is potential for threat actors to find an entry point into your systems.
When clients are onboarding new tech, the first thing I advise them to do is plan as much as possible in advance.
It’s important to analyse the risks involved and what steps should be followed – it will save money, pain, time and, of course, make your systems as secure as they can be (while still being useable).
Anything that has to be implemented by your IT team falls under this banner.
It will normally run on a computer, and it usually requires some sort of business change. Of course, there are anomalies – but if we were to take the example of a new software package being deployed, these are some of the different aspects to consider…
Security and IT teams should be involved in procurement processes right from the start.
More often than not, security is not bedded into new tech as standard, so your security team is vital for safeguarding any potential investments before any money is spent.
We all have different perspectives and often because members of the team responsible for buying the tech usually don’t have to worry about the security aspects in their day-to-day jobs, it’s not something they consider (especially if they think all the extra security settings will slow things down – a common misconception).
Ensuring security is considered from the beginning of the procurement process means security is helping not hindering.
A note on Shadow IT while we’re here, even if a platform is for one department, security and IT teams should be involved in the process of procuring it (see: Compatibility).
Supply chains have never been under so much pressure. Understanding how a supplier needs to interact with your systems and even who is part of their supply chain are important elements, and it can be a nightmare to audit all of those links (not to mention time-consuming).
However, it is of vital importance to make sure that new tech is as robust as possible. Developing your IT systems assuming they will be breached means you can be ahead of the game.
By the way, have you considered the geopolitical element? Do you know where your software support is based and maintained?
We are seeing a lot of supply chain software problems due to the war in Ukraine, as many teams are based there. If the support team is in Ukraine, they probably can’t do support right now, and if they’re in Russia they’ve probably been sanctioned. How will this impact your operations if something goes wrong?
In 2022, making sure your technology is following regulatory compliance is as important as any other aspect of cyber security. There are very specific frameworks, policies, regulations and laws that must be adhered to, from GDPR to Cyber Essentials to ISO 27001, and your new tech must comply with all that apply.
From a practical standpoint, each business is likely to be different in terms of what it needs from a compliance perspective.
If we took a Payroll team as an example, it could be that each new user added also requires a second person to audit it, so as to reduce the chance of fraud. Our advice is always to go through all the compliance security checks first, as post purchase changes can be expensive to implement.
Imagine investing in a companywide platform that was impossible to integrate with existing systems without further expensive work (or in a worst-case scenario, nothing will get things working).
Any new tech definitely needs to support enterprise IT standards. Ideally it supports single sign on, so it knows you’re authenticated without additional passwords. Ideally it collects logs—detailed logs—and sends them over to your logging server that you have already set up, so you can audit what users have done. And it should work on a modern browser, and not Internet Explorer 4!
How you will leave a product? And what is your plan for moving your data in and out of it? How does the new package integrate with your existing systems? How is the extraction of data going to occur safely?
It might be that the exit plan involves a member of staff manually transferring data from the old system to a new one. It may be that standardised, easily accessed components are used, which can be extracted programmatically.
Either way, data migration exercises can be expensive, time-consuming and risky. Planning for a migration prevents vendor lock-in and may allow the avoidance of expensive price rises.
However, any feature that might make it easier to copy all of the data out of a system may also be used by an attacker.
This means we’re getting into the world of application programming interface (API) security. PGI can run penetration tests on APIs to make sure they are secure and working how they’re meant to, in order to get reassurance that there are no data leaks that way.
This is in no way an exhaustive list, but it is a good starting point, and we encourage you to get in touch to discuss your new tech purchases further with our team. And when you have it in place, we can help you with configuration reviews, compliance consultancy and penetration testing: sales@pgitl.com or +44 20 4566 6600
Last week, Bellingcat released their ‘Seven Deadly Sins of Bad Open Source Research’. The article lays out the glaring errors they’ve observed by practitioners online, especially regarding the conflicts in Gaza and Ukraine.
April 2024 marks the 40th anniversary of the Diretas Já civil movement in Brazil, a mass movement demanding direct presidential elections and a return to democracy after two decades of military dictatorship.
Last week, British comedian, Joe Lycett revealed he had successfully seeded four fake stories within the British press.