Security, DevSecOps

We live in the era of cyber insecurity. Prominent figures such as the Ginni Rometty, CEO of IBM, and Warren Buffett have declared it to be the biggest threat to not only companies but even humanity as a whole.

We have already reached the point where not only major corporations and institutions with the responsibility for maintaining the safety of our financial and personal data, but even governments are threatened by financially and politically motivated cyber attacks.

The danger is real, it is very serious, and it is likely to become greater, perhaps much greater, in the foreseeable future.

Here are some shocking statistics:

  • The cost of damages from cyber crime is predicted to hit $6 trillion annually by 2021 compared to $3 billion in 2016, described as “the greatest transfer of economic wealth in history” and more profitable than all major drug trades combined [1]

  • Global ransomware costs are expected to have grown beyond $5 billion in 2017. That's an increase from $325 million in 2015—a 15-fold rise in just two years [2]

  • According to Microsoft, the potential cost of cyber crime across the globe is a mind-boggling $500 billion, and a data breach will cost the average company about $3.8 million [3]

And are businesses prepared? Let’s see what the stats say:

  • More than one-quarter (28%) of organizations appear to view cyber insurance as a substitute for cyberdefense investment [4]

  • Two-thirds of organizations say their in-house cybersecurity capabilities are adequate to protect against cyber threats, yet nearly 80% say they have been breached within the past year [4]

  • Cyber crime will more than triple the number of unfilled cybersecurity jobs, which is predicted to reach 3.5 million by 2021 [5]

Is there anything that you can do about it?

Yes. Whatever your role is in the world of information technology (whether you are a service provider, a developer, or a corporate or institutional user of IT services), there are effective steps that you can take to protect your data and operations, and those of your clients.     

Get to grips with DevSecOps!

Download our free guide: Intro to DevSecOps & Best Practices for Adoption

DOWNLOAD THE FULL GUIDE →

Cyber Security: What's at Stake

In the past few years, the news has been filled with reports of data breaches affecting hundreds of millions of consumers, public leaks of sensitive and supposedly secure information, and politically motivated cyber attacks with extremely serious implications for both domestic politics and international relations.

Big Money, Big Danger

At this point, it is possible that no financial institution can be considered fully secure. Virtually all banks, lending institutions, investment services, and other businesses which form the core of the worldwide financial industry do a large volume of their business online. In a typical online transaction there may be multiple points which are at least potentially vulnerable in terms of security.

Personal Data

But cyber criminals target much more than online financial transactions. Online retail sales, business-to-business transactions, medical records, government records, and even personal data stored on desktop computers have all become targets.

Cyber Extortion

In addition, we are likely to see more and larger ransomware attacks, aimed at both individuals and institutions. These attacks are likely to become more sophisticated, and to be aimed at targets which provide vital and even lifesaving services. Potential targets may include key elements of the physical infrastructure, such as those which involve public safety.

Cyber Warfare

It is now clear that we have also entered the era of cyber warfare. We can expect both hostile foreign governments and non-governmental groups with political motivation to use covert online techniques (including data breaches, sabotage, and barrages of propaganda) to achieve their goals.

Cyber Security: What You Can Do

So, what can you do to protect your online assets and those of your clients? Here is a quick survival checklist for the Era of Cyber Insecurity:

Identify Targets

Identify those assets which are potential targets for criminal or cyber warfare attack. These include any kind of customer data (including names, passwords, and information used to verify identity), transaction records, sensitive business-related information, restricted-access government data, and any information which could be used to gain access to any of these assets.

Identify Potential Vulnerabilities

It may not be possible to identify all potential points of attack, but it is important to identify as many of them as you can. Make an exhaustive survey of all existing security measures, and of all potential vulnerabilities. If possible, put together teams to attack those points of vulnerability, along with any others that they may find.

Eliminate Vulnerabilities and Add Required Security

Once you've found the holes in your system, patch them. And add any security measures required to eliminate or neutralize vulnerabilities. These may include changes to application or infrastructure code, addition of off-the-shelf security software, security-oriented monitoring, and even changes to IT staff behavior. After you implement these measures, subject them to challenge-based testing as well.

Bake It In

This is the most important step of all. Make this entire process an intrinsic part of your DevOps continuous delivery chain. Security should be built into design, development, testing, deployment, and monitoring and analytics. It should explicitly or implicitly be a part of every change, every revision, every update.

The biggest mistake companies make is to include security as a box-ticking exercise at the end of a project - which almost guarantees vulnerabilities and flaws - rather than embedding it at every stage.

Conclusion

You should assume that the security which you have today may not be adequate for tomorrow, or even later in the same day. To be secure in the era of cyber insecurity, DevOps can no longer simply be DevOps. It must become DevSecOps, and continuous delivery must mean continuous delivery of security that is up-to-date and powerful enough to meet the challenge of the this new age.

Want to learn more about DevSecOps? Download our white paper Introduction to DevSecOps: Best Practices for Adoption for an overview of DevSecOps and a guide to best practices across people, process and technology.

References

[1] https://cybersecurityventures....

[2] https://www.csoonline.com/arti...

[3] https://www.csoonline.com/arti...

[4] https://www.business.att.com/c...

[5] https://www.csoonline.com/arti...

  • Benjamin Wootton

    Co-Founder and CTO

    Benjamin Wootton is the Co-Founder and CTO, EMEA of Contino. He has worked with tens of enterprise organisations on DevOps transformation and is a hands-on DevOps engineer with expertise in cloud and containers.

    More Articles by Benjamin