Skip directly to search

Skip directly to content

 

The Rising Cost of Poor Software Security

 
 

Architecture | Eoin Woods |
12 July 2019

At Endava we take security seriously in all of our projects, so seriously in fact that we have a specific approach to developing software that we call "Secure Development", in which we add additional activities and steps (such as threat modelling and vulnerability scanning) to our normal software lifecycle activities. This is often in conjunction with a DevOps approach to delivery, integrating security activity into the cross-functional team, resulting in so-called “DevSecOps”. Of course, this requires more effort and a bit more budget, in the same way that delivering additional features would.

It has become apparent that it is more common than not to sacrifice secure development to save costs. It turns out this week that a well-known FTSE 100 company (who are not an Endava client) discovered just how expensive the alternative can be, highlighting the need to prioritise security in your systems development and operation. In mid-2018, they were hit by a cyberattack which compromised customer data including names, addresses, log-in, payment card and travel booking details. A year later, the UK Information Commissioner's Office (ICO) announced that the business had failed to protect the fundamental privacy rights of its customers and issued a notice of intention to impose a significant fine on the company under the provisions of the GDPR regulations.

And it's not just this FTSE 100 company that may be feeling the consequences of inadequate cybersecurity measures. A well-known Fortune 500 company may also be facing a fine, after a cyberattack in 2014, when hackers stole the records of several hundred million customers. In this case, the ICO has also communicated its intention to issue a hefty fine against the group for GDPR related infringements.

While cybercrime may be virtual, the threat is very real, and it requires the same level of consideration (if not more) than physical security does. Cyberattacks are a crime, just like burglary, but you wouldn’t avoid fitting an alarm and locking the door in the hopes that your property will remain safe simply because the law is on your side. The same thinking needs to apply to cybersecurity. Businesses need to take sensible precautions while developing and operating software to make it as difficult as possible for cybercriminals to mount an attack against them.

These cases illustrate how regulators are finally taking cybersecurity incidents seriously and will levy fines which are not just a rounding error in the company's accounts, which can be dismissed as a "cost of doing business". And this is exactly how it should be.

Cybercrime is not going to go away, in fact, Juniper Research predict that ‘cybersecurity breaches will result in over 146 Billion records being stolen by 2023’. The same report states that ‘the number of records breached to nearly triple over the next 5 years, while cybersecurity spend will only increase by an average of 9% per company per annum’. For those businesses who are already focused heavily on security, perhaps that increase will be enough, but for the rest who have been skipping these vital steps to save money, that level of investment probably won’t be enough.

Beyond the fines, the cost of a cyberattack is far-reaching. In a Ponemon Institute study from 2018, it was identified that the ‘cost of the average data breach to companies worldwide amounted to US$3.86 million’ and ‘the average time it takes to identify a data breach is 196 days’. Once you have lost the trust of your customers, it can take years to get it back.

Organisations have a duty of care to their customers, to take reasonable precautions to keep their personal details safe from cyberattacks. Developing software with a serious focus on security is an important part of this process. And suddenly the new regulatory environment makes it look much better value for money!

Eoin Woods

Chief Technology Officer

Eoin provides technical strategy advice to our major clients and works with our delivery organisation to ensure that the right people, tools, technologies, and processes are in place. Outside work, he is an enthusiastic amateur trumpet player, dwelling in a wide range of styles including wind band, brass band, big band jazz and classical. He also likes anything with an engine that can move quickly, particularly Alfa Romeo, Audi and Jaguar road cars and saloon car, Formula-E and Formula 1 racing.

 

Categories

 

Related Articles

  • 23 July 2019

    11 Things I wish I knew before working with Terraform – part 2

  • 12 July 2019

    The Rising Cost of Poor Software Security

  • 25 June 2019

    11 Things I wish I knew before working with Terraform – part 1

  • 14 May 2019

    Edge Services

  • 30 April 2019

    Kubernetes Design Principles Part 1

  • 09 April 2019

    Keeping Up With The Norm In An Era Of Software Defined Everything

  • 25 February 2019

    Infrastructure as Code with Terraform

  • 28 January 2019

    Internet Scale Architecture

Most Popular Articles

Kubernetes Design Principles Part 1
 

Architecture | Armen Kojekians | 30 April 2019

Kubernetes Design Principles Part 1

11 Things I wish I knew before working with Terraform – part 2
 

Architecture | Julian Alarcon | 23 July 2019

11 Things I wish I knew before working with Terraform – part 2

Creating A Visual Culture
 

Agile | Madalin Ilie | 03 September 2019

Creating A Visual Culture

Extracting Data from Images in Presentations
 

AI | Alexandru Mortan | 20 August 2019

Extracting Data from Images in Presentations

11 Things I wish I knew before working with Terraform – part 1
 

Architecture | Julian Alarcon | 25 June 2019

11 Things I wish I knew before working with Terraform – part 1

Cognitive Computing Using Cloud-Based Resources
 

AI | Radu Orghidan | 17 September 2019

Cognitive Computing Using Cloud-Based Resources

The Twisted Concept of Securing Kubernetes Clusters
 

Architecture | Vlad Calmic | 05 November 2019

The Twisted Concept of Securing Kubernetes Clusters

Microservices and Serverless Computing
 

Architecture | Radu Vunvulea | 30 May 2019

Microservices and Serverless Computing

Infrastructure as Code with Terraform
 

Architecture | Vlad Cenan | 25 February 2019

Infrastructure as Code with Terraform

 

Archive

  • 05 November 2019

    The Twisted Concept of Securing Kubernetes Clusters

  • 01 October 2019

    Cognitive Computing Using Cloud-Based Resources II

  • 17 September 2019

    Cognitive Computing Using Cloud-Based Resources

  • 03 September 2019

    Creating A Visual Culture

  • 20 August 2019

    Extracting Data from Images in Presentations

  • 06 August 2019

    Evaluating the current testing trends

  • 23 July 2019

    11 Things I wish I knew before working with Terraform – part 2

  • 12 July 2019

    The Rising Cost of Poor Software Security

  • 09 July 2019

    Developing your Product Owner mindset

  • 25 June 2019

    11 Things I wish I knew before working with Terraform – part 1

  • 30 May 2019

    Microservices and Serverless Computing

  • 14 May 2019

    Edge Services

  • 30 April 2019

    Kubernetes Design Principles Part 1

  • 09 April 2019

    Keeping Up With The Norm In An Era Of Software Defined Everything

  • 25 February 2019

    Infrastructure As Code With Terraform

  • 11 February 2019

    Distributed Agile – Closing the Gap Between the Product Owner and the Team

  • 28 January 2019

    Internet Scale Architecture

We are listening

How would you rate your experience with Endava so far?

We would appreciate talking to you about your feedback. Could you share with us your contact details?

 

By using this site you agree to the use of cookies for analytics, personalized content and ads. Learn More