You've likely heard the phrase, "Size matters." And you've probably heard, "It's not the size of the dog in the fight; it's the size of the fight in the dog," too. Whether you believe Cosmo or Twain is up to you, but one thing is certain: The democratization of the internet means small shops and major commercial developers alike can deliver third-party software on a level playing field — and deliver it through the same channels.
For smaller businesses with low budgets, innovative ideas and a few smart folks behind them, that's great news; however, it's a nightmare for enterprises that source their software and applications from a variety of developers. Why? Because while some applications can be trusted, others might have suffered through development shortcuts taken to save money and time.
With less to spend and less to lose, it makes sense that small enterprises would try to deliver great products while turning profits. But as hackers get more creative, software consumers have to be more vigilant than ever. The only way to prevent attacks through third-party software is to take a consistent, policy-based approach to security. That will ensure that both the giant customer-relationship management program and the tiny meal-ordering widget your enterprise relies on will receive the same comprehensive security vetting before being introduced to your organization.
Think about the breaches you've heard about recently. The one at Target occurred when hackers accessed an air-conditioning repair company's email domain. At Home Depot, they found a way in through a third-party software supply chain and read credit cards as they were used at self-checkout stations. And while both retailers had to withstand the public heat and blows to their credibility, it's easy to see how this could happen: After all, wouldn't you trust your air-conditioning unit repair guy?
Trust. That's what all this boils down to. Both of these major corporations had Achilles' heels residing in their service providers' deepest, darkest corridors, far beyond the reach of traditional corporate security policies. They had to figure that out the hard way — but you can learn from their mistakes. So how do you know you can trust your vendor?
All apps aren't created equal, but they all must be held to the same high standard — and if they're not, it's your company's reputation at stake. The best solutions will promote the security of their software and even work with you to ensure that thier product meets your security needs. That means if a small, niche app is an inexpensive answer to your organization's needs but doesn't demonstrate compliance with your security policy - or is even willing to talk about their security measures - it's not the right fit for you. With the media reporting attacks on major organizations, attackers are quickly learning about the ways in which enterprises are vulnerable. Don't let the need to save a few quick dollars cost you a stellar track record.
When it comes to software providers, size doesn't matter. It's hard to trust anyone these days — not because everyone has malicious intent, but because every piece of software has flaws. So how can you ensure your company is holding each vendor to the highest set of standards? Start by doing your research and choosing your vendor objectively, then craft a contract that brings security to the forefront of your relationship. Remember: Whether an app's been developed by your best friend's niche software shop or a major security enterprise, the same security requirements must be met.
Even if an app is deemed safe upon release, the more it's used, the more it interacts with critical data, the more valuable it becomes to hackers — and the older it gets, the more vulnerable it is. Continually performing security testing by engaging with your software suppliers regardless of size will prevent once-safe software from slipping through the cracks.
The key to security is to maintain a high standard for all apps and vendors. Whether a company works on air-conditioning units or sells thousands of them per year, its software must be subject to the same scrutiny — after all, any company is a potential target for hackers, and it's only through comprehensive security policies that yours can be the safest (and most trustworthy) around.
Photo Source: Flickr