Tips to Prevent Data Loss in the Software Development Cycle
A few years ago, an Australian employee accidentally leaked a spreadsheet containing health information of people applying for Australian visas. The incident started when a typo in an email address caused the spreadsheet to go to an unknown person’s account. In 2017, a malicious staff member stole at Bupa Global stole over 100,000 international health insurance policies.
According to the Verizon 2019 Insider Threat Report, more than half of data breaches originate from insiders. As shocking as this statistic sounds, not all data loss events are the result of a malicious attack. A 2018 report shows that more than 40% of recent data breaches were caused by accidental sharing.
While this seems ominous for all sectors, software development companies are especially vulnerable to data breaches. The collaborative and fast-paced nature of development increases the risk of data leaks or losses. That is why, according to Gartner, chief information security officers consider data security a top priority. Software development companies must secure their working data against data breaches. Companies must protect not only their data but their clients’, to keep customers’ trust on their side.
Organizations should implement policies and a security framework to achieve effective data security. Development companies should pay special attention to access permissions, constantly monitoring data usage. In addition, companies outsourcing software development services should ensure that third-parties follow security practices to prevent data leaks. Read more to learn how software development companies can prevent data breaches.
What Is Data Loss Prevention?
Data Loss Prevention (DLP) is an umbrella term comprising the set of tools and processes an organization uses to prevent unauthorized usage and access of data. DLP solutions monitor the network and resources for accidental or intentional data loss or leakage.
A data loss prevention strategy involves more than choosing the right tools. You should assess your data to identify which is the most critical. Critical data is the data you need to ensure business continuity. Companies should also categorize sensitive data such as customers’ personal or credit card data.
In recent years, regulations such as the General Data Protection Regulation (GDPR) set guidelines for collecting and managing personal information, requiring companies to comply with data loss prevention requirements.
Data loss should not be confused with data leakage. The term data leakage refers to an intentional or unintentional disclosure of information outside the organization’s network. For example, a malicious insider transferring confidential files to an external actor.
Data loss means the data cannot be retrieved, because it was deleted or damaged beyond repair. Some data loss events are caused by natural disasters or power outages. In some instances, data loss results from a deliberate attack.
Considerations for Software Development Companies
New practices such as Bring Your Own Device (BYOD), and outsourcing software development increase the risk of data loss or leakage. Securing the data in custom software development requires considering the following factors:
Not all data is fit for sharing
The organization should determine what data can be shared with third-parties, as well as assess the protection required for this data type. For example, customer personal data or intellectual property documentation. Companies that practice BYOD should enforce security policies to guide employees on securing the data in their devices.
Do you have a recovery plan?
The recovery strategy should include scheduled backups and storing sensitive data on corporate servers. Securing the data by replicating servers is another effective approach.
Have a Data Processing Agreement (DPA)
Adata processing agreement sets the guidelines to process, store, transfer and protect the data between client and vendor. This is useful for companies outsourcing software development, as well for development companies working as third-party vendors. The agreement should take into consideration local and industry regulations, such as GDPR.
Tips to Prevent Data Loss in Software Development
Software development companies should establish secure work principles, including secure coding practices. Having a documented information security management system is a must to prevent client data loss.
A DLP policy should be enforced across the software development and operations cycle. Some of the points this policy should cover include:
- Protected networks—includes the use of strong passwords and two-way authentication.
- Monitoring traffic—should include inbound and outbound traffic monitoring, as well as an updated firewall.
- Intrusion detection—including spam, phishing, and virus monitoring.
Software developers using the DevOps method face unique challenges. A company applying DevOps is exchanging data constantly between on-premise, cloud-based applications, and third-parties.
DevOps environments require a comprehensive approach to protect sensitive information. Some best practices to prevent data breaches in DevOps environments include:
- Leverage machine learning to classify data—a context-based classifier solution can help with this task.
- Encrypt data everywhere—you can leverage format-preserving encryption techniques, to keep the format of the data while securing it. Data loss prevention tools help to automate encryption both for data in motion and at rest.
- Monitor for Internet exposure—if deploying applications in the cloud, you should check if any of the hosts are exposed to the public cloud. A data loss prevention solution can do the trick.
- Establish a baseline of normal behavior—leveraging User and Entity Behavior Analytics (UEBA) technology can help you determine what is a normal activity for your environment and detect anomalies.
- Develop and establish security policies—all engineers and third-parties should adhere to the established security policies. Training staff regularly and updating security procedures can help you stay ahead of potential threats.
Types of Data Loss Prevention Tools
There are different types of DLP tools, which often vary according to where a system is installed and what data types are protected. Below, you’ll find a review of the main types of data loss prevention solutions.
Network-based data loss prevention (DLP)
These solutions are usually installed at the perimeter of a network, to protect data in motion. Network-based solutions monitor inbound and outbound traffic to detect if sensitive data is being transmitted outside the network. They work based on predefined policies, looking for violations in email traffic, social media and instant messaging.
Data-storage based data loss prevention (DLP)
These solutions protect data while it is at rest, in the organization’s data center. Data-storage DLP detects sensitive data and analyzes its storage, determining if it is secure.
Endpoint data loss prevention (DLP)
You should monitor devices on your network, such as laptops, PCs and tablets, for any action that transfers data outside the network. Dedicated endpoint DLP monitoring solutions typically look for actions such as copying a file to a USB, sending an email or printing a file. Then the system flags this action, and alerts subscribers.
The Bottom Line
Gartner predicts that by 2020, one-third of data breaches will originate from shadow IT. Every organization developing custom software or outsourcing development services should implement data loss prevention practices and tools. You never know when an accident or a malicious attack will cause your data to get deleted or stolen. The practices mentioned in this article can help you minimize the risk of your data and your client’s from data breaches.
Thank you!