Information Security / Unprepared for GDPR? 3 steps you can take now
Unprepared for GDPR? 3 steps you can take now
11 May 2018
TEISS guest blogger Derek Weeks, VP and DevOps Advocate at Sonatype reveals 3 top tips you can take now if you're still unprepared for GDPR!
In two weeks GDPR will become law. Unfortunately, far too many organisations are ill prepared when it comes to their compliance readiness. The first large scale breach following 25th May will demonstrate just how unprepared the industry is when it comes to their cybersecurity hygiene.
One key requirement of GDPR is the need to ensure data protection measures be implemented “by design and by default,” making it vital that privacy and security become ingrained in every element of IT infrastructure. As a result, software security is increasingly coming under scrutiny.
Also of interest: The C Suite interview: Peter Woollacott, CEO of Huntsman Security
Bad cybersecurity hygiene
Developers, who once wrote all of their code from scratch, are now assembling 80 - 90% of every new software application from packaged bits of code borrowed from public sources. While these components are instrumental in driving innovation and accelerating time to market, our research has found that 1 in 8 open source components downloaded in the UK contain a known security vulnerability.
While 58% of organisations have some form of policy in place to govern component quality and security, as many as 46% of people ignore those policies. When it comes to cybersecurity hygiene within development practices, risk of breaches are significant.
Our 2018 DevSecOps Community Survey of 2,076 IT professionals revealed that open source related breaches are up 55% year over year – impacting 1 in 3 of participant organisations. Parallel to the survey results, recent research suggests that nearly 30% of businesses are unprepared for the legislation, placing them at risk of huge fines – up to £17 million, or 4% of global annual turnover, whichever is higher.
Also of interest: Protecting cyber space - whose responsibility is it?
3 steps to better cybersecurity hygiene
As the countdown ramps up, companies can take three steps to improve their cybersecurity hygiene:
First and foremost: identify what’s in their software – a sort of health check. This provides the opportunity to identify any vulnerabilities, update to safer component versions and ensure those versions are deployed into production environments.
Secondly: invest in training to help upskill teams. With developers outnumbering security professionals 100:1, security needs to become the responsibility of the whole team, not just a select few. Security teams will never scale to the size of development teams, so new approaches toward training and guiding developers in secure coding practices are imperative.
Finally, businesses should look to utilise DevSecOps principles aimed at building in quality. In DevSecOps practices, governance and compliance guardrails must be embedded early and throughout the software development lifecycle, helping to dramatically mitigate risk. When defects are flagged, developers are guided through remediation with automated intelligence that helps to identify safer component alternatives to use. These instant feedback loops detailing good or bad components have been shown to increase developer productivity by as much as 48%.
All three of these require a change in mindset, making it vital that businesses act now. It is still possible to make great strides in boosting application security, taking organisations one step closer to GDPR compliance while dramatically reducing the risk of breaches.
For more information about Sonatype go to https://www.sonatype.com