The pandemic has created a whole new vocabulary of words and phrases – quaranteams, Zoom, new normal, lockdown, social distance. They will be words that sum up a generation.
I for one can’t think of a time when the word ‘testing’ was part of common speech to the extent it is today. We must use, hear and read it every day. But we have all come to realise just why it’s such an important foundation to rising out of the pandemic. The fabric of our lives hinges on access to accurate tests, and a quick diagnosis. Without it lives go on pause with isolations or worse.
But finding a model that works, is cost effective and resourced with the right people to not just test samples, but also conduct contact tracing has proved elusive.
What I’ve found interesting as I’ve watched the debate unfold are the parallels it has with security. Investment in cyber hygiene is essential but it’s not a one-time occurrence and must be maintained. Invariably, other priorities arise and something else in the IT budget has to give. You can’t make progressive investment in new technology if you don’t have the money to do so. CTOs face the decision of stealing from Paul to pay Peter.
Yet, the pandemic shone a light on things. You can accelerate digital transformation and find the money when your business survival depends on it. Shifting to ecommerce models introducing apps that let people order food in a restaurant without touching a menu, through to getting people working from their safe place has tested infrastructure and the status quo. But it happened. Companies had to make it work. Innovation rose from the ashes.
However, they also made compromises. The biggest indicators of which are the spikes in cyber-attacks over the last six months. Companies have opened up the floodgates to malicious actors who have sought to capitalise on the situation. Remote working was the first culprit. Rolling out unpatched VPNs and RDPs have taken their toll. Hackers had a field day, exploiting known vulnerabilities and infiltrating systems just for fun, or to do untold damage by slowing e-commerce platforms, stealing data or IP, or scraping customer information.
Then there was the extraordinary move to the cloud. Companies brought plans forward by years such was the need for a radical response. It was a testament to the IT skill in the UK – and around the world given the many partners that will have been involved – to deliver network change, mobilise digital platforms and move applications online.
But just as hackers were waiting in the wings to infiltrate VPNs so they were waiting for the false moves a cloud strategy prompts. Applications were a hunting ground, of that there is no doubt. Hackers relied on the fact that the speed to release applications would override any security testing. And they were right to place their bets evidenced by the exponential rise in application breaches.
It brings to the forefront that any strategy designed to outwit the competition, retain customers and deliver innovative customer experiences must have a security model at its heart. The case to include security testing in development of apps and cloud models has been proven. You simply can’t release apps, overlook security and expect to remain a trusted brand. Consumers won’t tolerate it anymore, and neither will data commissioners.
However, testing an app or any related infrastructure before launch isn’t enough anymore either. Regular testing is essential. Software changes to keep up with innovation and customer habits and with that comes new threats and the discovery of new vulnerabilities. Understanding this and embarking on a cycle of continuous testing has to be the default for any application.
But the pressure to deliver this level of service is too great at the moment as IT budgets are pulled in every direction. That’s why crowdsourcing models are rising on the radar of hamstrung CTOs. They can now use the skill and expertise of people around the world. Scaling it up and down ahead of a new launch or update, and to spot test applications either by having the service ‘always on’ but turning it up and down as needed, or by providing specific penetration testing programmes that put the network and apps through its paces uncovering weaknesses that can be fixed before they are exploited.
It’s a model that is gathering pace in financial services, but also the airline, oil and gas, energy, mobile and car industries as they develop internet of things (IoT) and ‘smart’ business models. It’s a really exciting future that presents itself, but it can only be trusted if it’s secure. Crowdsourced models are overcoming the traditional challenges of budget and skill and as we move into 2021 it will be a model that becomes a staple not a nice to have.
Adrian Crawley is the VP of sales for Synack’s EMEA division. With a long career in cyber security, Adrian advises companies on strategy, and in particular how to secure the enterprise and applications using crowdsourced security testing models.