At around lunchtime on July 8, 2015, trading at the New York Stock Exchange came to a halt when NYSE decision-makers recognized a “technical issue” associated with a software release. Reports since then have been vague regarding what the issue was and how it was remedied, but it seems symptomatic of problems that affect businesses of all sizes.
The NYSE outage could be the result of a coding problem. When code is flawed, businesses may not notice the problem until their security has already been compromised. And while many people with knowledge of the NYSE event say it wasn’t the result of hacking, problematic code can occasionally allow hackers to exploit a security vulnerability.
In this two-part post, we’ll look at how businesses may be unknowingly putting themselves at risk, and what they can do to protect themselves.
Checks and Balances
An error in code is easy to miss, and many businesses may lack the internal expertise to double-check code during development. If you have internal developers, it’s a good idea to have an external source code auditor review all applications before launch, to ensure there are no security deficiencies.
Some companies take testing a step further by hiring external hackers to test their resistance to breaches and attacks. Three of the top U.S. Department of Defense Contractors – Raytheon, Boeing and Northrop Grumman – hire hackers to test the strength of their firewalls.
In 2015, United Airlines said it would pay up to 1 million flyer miles to hackers that remotely detect security flaws in its IT systems. But as the airline discovered earlier, even when your own house is in order, a third-party contractor or supplier could expose you to risk.
In January 2015, United Airlines and American Airlines announced that hackers had accessed thousands of traveler accounts and were even able to book flights, using someone else’s identity. The airlines said hackers had gotten access to customer data via third-party websites.
Third parties have been blamed for a number of costly, high-profile data breaches, affecting companies such as Lowe’s, Target, Goodwill Industries International and Kmart. Any time a business has a supply chain made up of multiple companies, there is a risk that one or more of those providers could compromise the security of your data.
Before doing business with another provider, you need a thorough service-level agreement (SLA) that shows your requirements and expectations regarding security. The SLA should state, among other things, what will happen if a data breach occurs, and who will be responsible for tasks like reputation management, investigations and paying associated costs.
Check back next week for Part II of this post, “Why Audits Really Shouldn’t Scare You,” when we’ll be talking about the importance of technology audits in identifying risk and preventing attacks. In the meantime, if you want to talk in-person, schedule a tour of Lifeline Data Centers today.