“Digital transformation” is a term that everyone has become familiar with over the past few years, as businesses and society continue to deploy the latest technologies to accelerate change and improve inefficiencies.
In fact nearly a third of business leaders are actively pursuing digital transformation projects, with an additional 29% either planning for, or considering, digital transformation projects for the future.
As business dependency on software continues to grow, businesses are allocating a large part of their budgets to software-led digital transformation projects. In a recent research report published by CA Veracode, it was announced that one in five business leaders claim their software budget had increased 50% or more over the past three years.
As impressive as this evolution is, with new software comes new threats to the overall security of an organisation. It is rare that a week goes by without a data breach in the news, so understanding the potential risks and vulnerabilities software introduces is essential if businesses want to keep hackers at bay. The question is, do organisations really understand the risk that non-protected software poses?
The risk is real
Alarmingly business leaders’ understanding of the risk that vulnerable software brings to an organisation is very low. Despite cyber attacks regularly making their way into the headlines, the c-suite is still struggling to get to grips with the different types of threats and how they impact on an organisation.
From ransomware to phishing attacks to vulnerable open source components, business leaders still don’t understand the common cyber security threats, which, if successful, can cause devastating and long lasting consequences for organisations of all sizes.
Equifax provides a clear illustration of just how uneducated business leaders are of the cyber security landscape. Last year the credit reference company fell victim to a data breach, caused by the Apache Struts 2 vulnerability, which affected 145 million US consumers and 700,000 British customers.
Despite the widespread effects of the incident, just 28% of business leaders in the UK had heard of the Equifax breach. The same survey also revealed that less than a third of business leaders understand the risk that vulnerable open source components pose to their organisation.
This is particularly worrying if you consider how many software applications are at risk of exploitation. The recent State of Software Security (SoSS) report, based on application security testing data from 2017 scans, found that 88% of Java applications have at least one component-based vulnerability.
Ultimately, vulnerable open source components are present in most code bases and cyber attackers know this. As hacking techniques becoming more advanced, cyber attackers are taking advantage of these vulnerabilities, to cause damage both financially and for the reputation of an organisation.
A worrying state of affairs
The lack of awareness around cybersecurity threats and the risk that these pose to an organisation is a troubling state of affairs. Unfortunately protecting an organisation against a threat becomes very difficult if you don’t know that the threat exists. Crucially the security team will not get the budget or the resources that they need to combat a threat if the executive team does not see the urgency of the situation.
Security investment requires both awareness of who specifically is being breached and how they are being targeted. If business leaders have this information they are able to differentiate between theoretical threats and real threats. If they can deduce in what way cyber attackers are targeting similar organisations, they can devise a robust protection plan for their own organisation.
In the real world, for example, if you knew that a thief was targeting the car of your neighbour, you would be careful to lock your own car. Similarly if you knew thieves were seen driving a white van, you would call the police if you saw an unknown white van pull into your driveway. When it comes to security, knowledge is the key.
So what now?
If IT leaders want support for their cyber security initiatives, they need to spotlight and explain recent breaches to executives in a way that they will understand, and in a way that makes the breaches less abstract concepts and more a call to action.
Developers also have a role to play in ensuring that software is secure. Upskilling developers through eLearning courses or remediation training can be a highly effective way to improve software security. However with 86% of IT professionals saying that their organisation doesn’t spend enough money, or time, on application security training, there is still clearly a long way to go in equipping developers with the capabilities they need to keep software applications secure.
Furthermore testing software applications for vulnerabilities early and often, is an important process if businesses want to avoid being the next victim of a cyber attack. New vulnerabilities are being discovered all of the time, and systematic software security testing ensures that vulnerabilities can be remediated quickly, and before they become a threat.
Keeping the digital economy secure is no easy feat, but the hackers are not going to go away on their own. Business leaders need to understand the risks that unsecure software can bring to their organisation and, armed with this information, they can put into place the necessary steps to keep their business cyber safe.
Sourced Paul Farrington, manager, EMEA Solution Architects, CA Veracode