People will try to bring down your system from the Internet and they will abuse your service. You can be sure of that,” says Jörgen Mellberg, IT Security Manager at PostNord Stralfors.
At the same time, many companies do not have adequate protection against such threats.
“The most common security mistake that companies make is to add security to their products and services as an afterthought,” says Jörgen Mellberg.
In addition to being unprotected initially, there are many disadvantages if you delay security.
“It can be difficult to implement security afterwards. Sometimes it’s impossible without a total redevelopment of large parts of the solution. Such an approach often resolves one specific security threat, but not all. And it’s always much more expensive than integrating security from the outset.”
The solution is to introduce security as a consideration when the service or product is still in the design phase.
Another common mistake is to attempt to build your own security solution. Such systems are often complex, which makes it difficult to get everything right.
“You must be familiar with all elements of security so that you don’t miss anything – no chain is stronger than its weakest link. At the same time it’s difficult to maintain security throughout the entire life cycle of a product or service without strict control,” says Jörgen Mellberg.
“You very rarely need something that hasn’t already been built. In that case it’s better to purchase mature solutions with tried and tested security and to implement that in your own system.”
Analyse the risks
Companies that want to avoid getting into trouble need to cover all eventualities in advance by thinking like a perpetrator. This is what Jörgen Mellberg works with – he tries to predict all possible security threats in order that nothing will happen.
The threat does not necessarily have to take the form of a malicious hacker who wants to access your data or triggers a denial-of-service attack to bring down your website. It can be something as simple as a user who uses your service in a way that you hadn’t considered – such as robots that automatically publish tweets on Twitter.
“People will try to use your service for their own needs, whether or not you’ve considered it. If you have that attitude from the outset, it makes development work much easier,” says Jörgen Mellberg.
So, when you build up your system, you must block off unforeseen possibilities.
“The key is to find the risks in the system. Then you have to have an insight into how you want to use the system and how it is structured. The more we understand about what can happen, the better security we can create.”
Security at the right level
There are many kinds of threats. The question is whether you need to protect yourself against all existing threats or just those that you identify as being serious.
“It’s all about the balance between risk and cost. You have to find the right level for the security checks. A security level that’s too high costs too much money,” says Jörgen Mellberg.
Furthermore, a security level that’s too high can frighten off customers, who turn to another supplier.
“We’re used to using keypads or mobile banking IDs when we log in to the bank, customers accept that. But if a more basic service were to have the same security solution, there’s a risk that customers would get fed up with your service.”
Security adapted to operations
It is a company’s operations that determine what kind of security solution is needed. If you have an e-service, for example, you need redundancy in the service’s Internet connection. You also need to know when customers access the service. Is the load constant or is there a peak for a short period of time in the year? In the latter case, the security system must have a capacity that can cope with a temporary peak.
“You address this by means of what we call load-balancing and an architecture that can cope with a surge. Because if your service goes down, the customer just goes to the next supplier instead,” says Jörgen Mellberg.
Is it possible to build in security against human negligence?
“You can never be 100 per cent secure – to err is human. But the risk can be minimised if, for example, two people have to implement a change. You can then make sure that the other person doesn’t make a mistake.”
“By automating as much as possible, you also reduce the risk of human error and get the same outcome every time.”