Our Insights Post 10 mins Niall Morrison 10 Questions to Ask Your Developer About Data Security Data security is your means of protecting files, databases, and accounts using a number of industry standards and technologies. Depending on your project, some would argue it’s the most important element to get right. Whether you are working with a global client with millions of customers, or with a local startup with ten, protecting their data is key. So why do we not think about this until the end of the project? We at Indiespring believe that safeguarding your customers’ data should be part of the process from the beginning as you are defining your product. You want to make sure, right at the top, that your customers will feel safe and secure. Why would you buy a car that has no brakes? Why would you leave your house without locking the door? Why would you build a mobile app and let anyone be privy to sensitive data?Common Types of Data Security Authentication – Authentication is one of the easiest and most recommended ways to boost data security and protect against data breaches. Authentication technology verifies if a user’s credentials match those stored in your database using a combination of ways to identify an authorised user, such as passwords, PINS, security tokens, a swipe card, or biometrics. Two Factor Authentication (2FA) is now becoming more common. This is when a system or user only grants access after two or more pieces of evidence are provided. For example, when you log in to iTunes, Apple will ask for your email and password, but will then send a code to your phone which is their version of 2FA. Access Control – At a high level, access control is a restriction of access to data. It can be broken down into: Discretionary access control – which allows access to resources based on the identity of users or groups. Role-based access control – which assigns access based on organizational role and allows users access only to specific information. Mandatory access control – which allows a system administrator to strictly control access to all information. Backups & Recovery – A data backup entails making a copy of your data and storing it on a separate system or medium such as a tape, disk, or in the cloud. You can then recover lost data by using your backup. This will also include regular reviews of the process to ensure who can access the backups for the recovery process. Encryption – Data encryption software effectively enhances data security by using an algorithm (called a cipher) and an encryption key to turn normal text into encrypted ciphertext. To an unauthorized person, the cipher data will be unreadable. Think of it like a door, that you can only open with the correct key. Data encryption is similar — in order to decrypt any information the user must have the correct key. You will also need to ensure that this key is securely stored. Data Masking – Data masking software hides data by obscuring letters and numbers with proxy characters. The data is still there, behind the masking. The software changes the data back to its original form only when an authorized user receives that data. Tokenization – Tokenisation is similar to data masking, but instead of masking the data, you substitute sensitive data with random characters that are not algorithmically reversible. A token representing the real data is used across different systems as a replacement, while the actual data is stored on a separate, secure platform. Deletions & Erasure – This is saved for data that is no longer needed and must be permanently cleared from the system. Erasure can overwrite that data so that it is irretrievable. Erasure is different from deletion, which is a process that simply hides data in such a way that makes it easy to retrieve. 10 Questions to Ask Your Developer About Data Security There are a few things you should be asking your developers so your clients can rest assured you’re taking your data security seriously. Data security comes in many forms and varies from project to project. But it’s a conversation you should be having with your developers. Here are some questions to get you started. How secure do we need to make the data on this project and is it classified according to risk (high, medium, low)? The type of security you install totally depends on your client and the project. If they are building an app that allows the user to save their favorite books to a list, then it obviously doesn’t need to be locked down like Fort Knox. On the other hand, if your developers know that sensitive data is going to be sent to the app via the API then you need to assess if you have to think about tokenisation. Sit down and rank your client and their data based on how severe a breach of that data will be. Only then can you build a picture of the security tools they need. What are some basic useful tools we can use? Sometimes data security is easy. We’ve all been there staring at our computer screens, thinking of a password that is escaping us. If this is you, consider using tools like Bitwarden, Onepass or 1Password, all tools that you can securely and safely store anything from passwords and API keys, to your grandma’s secret recipe for bolognese. Virtual private networks (VPNs) are becoming increasingly more popular. A VPN gives you online privacy and anonymity by creating a private network from a public internet connection. VPNs mask your internet protocol (IP) address so your online actions are virtually untraceable. For example is using a VPN while on Netflix could lead you to see different content if your private network was connected to an American server. How can we train the customer in Data Security? A day with your developers and the client technical lead is all you need to ensure it’s considered. The key is making the client aware of how vulnerable they are. This isn’t to scare them — it’s to ensure they’ll take data security risks seriously. What are the Data Security standards? OK granted, your developer isn’t going to know this one unless they’ve been involved in the process and completed something like ISO 27001 with your business. This is an international standard on how to manage your information security. It’s highly recommended as you can proudly display this badge throughout your business and immediately your clients will know you handle data securely. Are we prepared for a data breach? What would happen now if someone started to attack one of your clients? How would you know? Are you prepared for everything, do you have the processes in place to respond? This is where you want to install alerts on your servers, ensure regular backups and encrypted data. Unfortunately, hackers don’t always target global companies. Make sure if they target you, it’s not easy. You don’t have to have state-of-the-art security and ED-209 guarding your servers. Apply the security you can to ensure that you are making it harder for attackers. How can we measure and comply with regulations or standards? ISO 27001 is a great way to measure your compliance. This will be a regular business audit to ensure you are following their standards. However, appointing your own DPO (Data Protection Officer) is also recommended. This is someone who is internally responsible, ensuring you are compliant. Have we updated our privacy notices and privacy policies? Particularly with GDPR (General Data Protection Regulation) you need to ensure that your policies are regularly checked and updated if necessary. The Privacy Policy you created for your site or business isn’t a once-off document or paragraph that is never looked at again. It’s a living document that needs regular reviews and updates. This is to ensure that you are up-to-date with your data practices and it meets the requirements of any new laws. You will also need to update this if your business changes. For example, if you now accept two new payment methods this must be reflected in your policy. A log of these changes should also be kept for historical reference. Do we have something in place to destroy or delete data if requested? Let’s face it, clients move on, and with GDPR you are told that it is up to you to justify how long you need to keep data based on your purposes for processing. You are in the best position to judge how long you need it. However, you must also be able to justify why you need to keep personal data. With sensitive clients, your developers need to ensure there is a quick way to purge the data if necessary. This also applies to local data — you should never have live data on a local developer’s machine. Who do we notify of a security breach? What’s the point in doing all this work, putting all the processes in place, to just not have a clue when someone has breached your security. In some cases, there can be severe financial penalties for mishandling data— just ask Uber about their $148m fine in 2016. You may also need to inform the ICO if any breach has accessed sensitive data. They will support you if any further action is required. Honesty is key when it comes to data breaches. Are we vulnerable to third party applications hosted on our network? Developers love a shortcut. Sometimes these shortcuts are to enable a bunch of 3rd party plugins rather than doing the work yourself. You can’t control when a third party will patch an issue. Your developers should be trusted to do it the best way rather than the quickest way. I hope that this article has gotten you thinking of what you are doing, but more importantly, what you aren’t doing. Now is the time to go off and speak to your developers and start to implement these ideas. Don’t risk it! Data security is very important in this day and age when everything is online. Your clients/customers give you data; it’s up to you to make sure they can trust you with it.