Cybersecurity risks affecting software and technology companies

The software and technology (S&T) industry has been facing an increase in cyberattacks over recent years. These attacks impact organizations as well as customers. In order to help our S&T clients, Baker Tilly developed the following list of common issues affecting the S&T industry as a starting point toward improving your cybersecurity posture and readiness to respond to a cyberattack.

Change management

S&T organizations have to closely manage changes not only to their environment (infrastructure) but also to their software. Many do this through governance programs, including peer reviews, that enable a comprehensive view of the changes occurring within their environment. However, not all changes are managed equally. Leading practices suggest that a risk-based approach is best due to limited internal resources and time. Although, as environments have become more complex and more integrated, many organizations do not properly consider the upstream and downstream impacts of their changes. We have seen many real-world examples of small changes to minor services that have caused significant impacts to upstream services including affecting the availability of these services to customers. Change management activities need proper governance and when considering change-related risks, the organization should have both an upstream and downstream understanding of how the change could influence other services and customers. 

Supply chain

No example stands out more than SolarWinds. Not understanding the third-party libraries or software in use and the changes to those third-party applications can cause detrimental harm to your internal services and to the services you provide to customers. Software is rarely built without third-party dependencies, but organizations tend to overlook the risk of utilizing code or services that they do not control. Risk management activities mostly focus on risk factors that an organization can control and can miss the underlying risks associated with using third-party developed solutions. Attackers have targeted these third-party solutions in recent years as a way to gain a foothold in a broader set of organizations. S&T organizations should inventory the third-party libraries and software used in their products or services, and regularly monitor and assess changes to those components to ensure a comprehensive view of risk is understood and can be managed appropriately.

Secure coding

Developers are taught best practices for the development of their code, however, even the most experienced developers can make mistakes that introduce vulnerabilities into an organization’s software or environment. Secure coding practices start with a continuous education program for developers to ensure they are aware of the security risks and top vulnerabilities associated with software development. Additionally, organizations should implement code scanning solutions to automatically scan newly developed code for security vulnerabilities. These tools utilize static code scanning and dynamic code scanning capabilities to provide a comprehensive view of how code is built and how it operates in real world scenarios. But just deployment and use of the tools is only a part of the process to minimize vulnerabilities in code, the other part comes down to the reporting, tracking and remediation efforts to fix the vulnerabilities identified in a consistent and expedient manner.