Skip directly to search

Skip directly to content

 

The Rising Cost of Poor Software Security

 
 

Architecture | Eoin Woods |
12 July 2019

At Endava we take security seriously in all of our projects, so seriously in fact that we have a specific approach to developing software that we call "Secure Development", in which we add additional activities and steps (such as threat modelling and vulnerability scanning) to our normal software lifecycle activities. This is often in conjunction with a DevOps approach to delivery, integrating security activity into the cross-functional team, resulting in so-called “DevSecOps”. Of course, this requires more effort and a bit more budget, in the same way that delivering additional features would.

It has become apparent that it is more common than not to sacrifice secure development to save costs. It turns out this week that a well-known FTSE 100 company (who are not an Endava client) discovered just how expensive the alternative can be, highlighting the need to prioritise security in your systems development and operation. In mid-2018, they were hit by a cyberattack which compromised customer data including names, addresses, log-in, payment card and travel booking details. A year later, the UK Information Commissioner's Office (ICO) announced that the business had failed to protect the fundamental privacy rights of its customers and issued a notice of intention to impose a significant fine on the company under the provisions of the GDPR regulations.

And it's not just this FTSE 100 company that may be feeling the consequences of inadequate cybersecurity measures. A well-known Fortune 500 company may also be facing a fine, after a cyberattack in 2014, when hackers stole the records of several hundred million customers. In this case, the ICO has also communicated its intention to issue a hefty fine against the group for GDPR related infringements.

While cybercrime may be virtual, the threat is very real, and it requires the same level of consideration (if not more) than physical security does. Cyberattacks are a crime, just like burglary, but you wouldn’t avoid fitting an alarm and locking the door in the hopes that your property will remain safe simply because the law is on your side. The same thinking needs to apply to cybersecurity. Businesses need to take sensible precautions while developing and operating software to make it as difficult as possible for cybercriminals to mount an attack against them.

These cases illustrate how regulators are finally taking cybersecurity incidents seriously and will levy fines which are not just a rounding error in the company's accounts, which can be dismissed as a "cost of doing business". And this is exactly how it should be.

Cybercrime is not going to go away, in fact, Juniper Research predict that ‘cybersecurity breaches will result in over 146 Billion records being stolen by 2023’. The same report states that ‘the number of records breached to nearly triple over the next 5 years, while cybersecurity spend will only increase by an average of 9% per company per annum’. For those businesses who are already focused heavily on security, perhaps that increase will be enough, but for the rest who have been skipping these vital steps to save money, that level of investment probably won’t be enough.

Beyond the fines, the cost of a cyberattack is far-reaching. In a Ponemon Institute study from 2018, it was identified that the ‘cost of the average data breach to companies worldwide amounted to US$3.86 million’ and ‘the average time it takes to identify a data breach is 196 days’. Once you have lost the trust of your customers, it can take years to get it back.

Organisations have a duty of care to their customers, to take reasonable precautions to keep their personal details safe from cyberattacks. Developing software with a serious focus on security is an important part of this process. And suddenly the new regulatory environment makes it look much better value for money!

Eoin Woods

Chief Technology Officer

Eoin provides technical strategy advice to our major clients and works with our delivery organisation to ensure that the right people, tools, technologies, and processes are in place. Outside work, he is an enthusiastic amateur trumpet player, dwelling in a wide range of styles including wind band, brass band, big band jazz and classical. He also likes anything with an engine that can move quickly, particularly Alfa Romeo, Audi and Jaguar road cars and saloon car, Formula-E and Formula 1 racing.

 

Related Articles

  • 10 December 2019

    AWS Serverless with Terraform – Best Practices

  • 23 July 2019

    11 Things I wish I knew before working with Terraform – part 2

  • 12 July 2019

    The Rising Cost of Poor Software Security

  • 25 June 2019

    11 Things I wish I knew before working with Terraform – part 1

  • 14 May 2019

    Edge Services

  • 09 April 2019

    Keeping Up With The Norm In An Era Of Software Defined Everything

  • 25 February 2019

    Infrastructure as Code with Terraform

  • 28 January 2019

    Internet Scale Architecture

Most Popular Articles

A Virtual Hackathon Together with Microsoft
 

Innovation | Radu Orghidan | 08 July 2020

A Virtual Hackathon Together with Microsoft

Distributed SAFe PI Planning
 

Agile | Florin Manolescu | 30 June 2020

Distributed SAFe PI Planning

The Twisted Concept of Securing Kubernetes Clusters – Part 2
 

Architecture | Vlad Calmic | 09 June 2020

The Twisted Concept of Securing Kubernetes Clusters – Part 2

Performance and security testing shifting left
 

Testing | Alex Gatu | 15 May 2020

Performance and security testing shifting left

AR & ML Deployment in the Wild – A Story About Friendly Animals
 

Augmented Reality | Radu Orghidan | 30 April 2020

AR & ML Deployment in the Wild – A Story About Friendly Animals

Cucumber: Automation Framework or Collaboration Tool?
 

Automation | Martin Borba | 16 April 2020

Cucumber: Automation Framework or Collaboration Tool?

Challenges in creating relevant test data without using personally identifiable information
 

Testing | Alex Gatu | 25 February 2020

Challenges in creating relevant test data without using personally identifiable information

Service Meshes – from Kubernetes service management to universal compute fabric
 

DevOps | Oleksiy Volkov | 04 February 2020

Service Meshes – from Kubernetes service management to universal compute fabric

AWS Serverless with Terraform – Best Practices
 

Architecture | Vlad Cenan | 10 December 2019

AWS Serverless with Terraform – Best Practices

 

Archive

  • 08 July 2020

    A Virtual Hackathon Together with Microsoft

  • 30 June 2020

    Distributed SAFe PI Planning

  • 09 June 2020

    The Twisted Concept of Securing Kubernetes Clusters – Part 2

  • 15 May 2020

    Performance and security testing shifting left

  • 30 April 2020

    AR & ML Deployment in the Wild – A Story About Friendly Animals

  • 16 April 2020

    Cucumber: Automation Framework or Collaboration Tool?

  • 25 February 2020

    Challenges in creating relevant test data without using personally identifiable information

  • 04 February 2020

    Service Meshes – from Kubernetes service management to universal compute fabric

We are listening

How would you rate your experience with Endava so far?

We would appreciate talking to you about your feedback. Could you share with us your contact details?