It’s understandable that the focus is on capabilities when evaluating an automation vendor - you need to know first and foremost if their product can truly meet your organization’s needs. The conversation usually pivots to cost - vendor software licensing, potential professional services needed, in addition to talent allocation from your own company.
What should also be occurring in parallel with learning about features and pricing is carefully evaluating how a solution provider would protect and secure one of your organization’s greatest assets - your data.
If an information security assessment is never completed, the reality is the risk of a major data breach that will damage your business and reputation is only a matter of when not if. When this evaluation is only initiated as the last step before signing a contract, you’ve lost - if not wasted - time.
Either you go into a holding pattern, as your data security team works with the solution provider to complete the assessment, and you’re not able to yet launch your important automation project.
Or the worst outcome becomes your reality if the vendor solution is found to not meet your company’s information security requirements. Now you’re back at square one to look for other automation options. You’re late even before you can get to solving business problems, improving the customer experience, and eliminating manual tasks for your employees.
In Part 1 of our Information Security (InfoSec) blog series, we introduced the idea of a vendor embracing a proactive information security approach as being mission-critical to protecting your - and your customers’ - enterprise data. Here in Part 2, we will discuss 6 important considerations for delivering the two key components of information security - cybersecurity and operational security, including Ushur’s recommendations for combating the associated challenges.
Cybersecurity focuses on protecting networks and systems from digital attacks. This is an increasing threat not only to businesses but also governments and our personal lives. Not a week goes by where we don’t read about a data breach at a company or a ransomware attack on a community. And we are all probably receiving phishing emails daily at home, as criminals try to access our personal data.
Operational security consists of the procedures and protocols used to maintain and enhance cybersecurity. If cybersecurity is the fortress, operational security is the camera system monitoring the perimeter to ensure all gates remain locked.
- Virtual Private Network (VPN) Techniques - Threats to your company’s network security are evolving minute-by-minute, as criminals develop new ways to detect - if not create - vulnerabilities to break in online. A VPN creates a secure, end-to-end connection, keeping activity on a public internet connection anonymous, private, virtually untraceable, with security and encryption. Introducing VPN features to your company’s network connections will strengthen the security of your external touchpoints. Regular and extensive auditing of any connections with an automation service provider is essential, to detect any warning signs of a potential problem emerging on their end.
- Network Redundancy - For anyone who has strung up holiday lights, all it takes is one bulb to go out and the whole string goes dark. Hence it’s vital for companies to have multiple options for network activity to travel, so a problem with one server doesn’t bring business to a halt. This “distributed architecture” is something you would want to see in place with an automation service provider. You will be leveraging their tool to conduct your business and you want high confidence that they have addressed any risk of downtime.
- Distributed Denial of Services (DDoS) Prevention - DDoS attacks involve bombarding a website with more traffic than its network can handle, to hopefully force it to shut down. When successful, a DDoS attack does major reputational damage to a company and can be both expensive and time consuming to repair. When selecting an automation solution provider, you want to be sure that they have DDoS preventative measures in place, including with any cloud partner in use.
- Change Management - Your company has a robust change management process in play to ensure any and all technology changes individually and in concert are technically compatible. This prevents a security gap that could emerge if one or more systems within your organization are no longer fully functional. An automation solution provider should be able to walk you through their change management policy - both how they manage change within their environments and how they will collaborate with you, as their customer, when they update their applications that you are using. This includes how they screen their code for potential security issues, including using code analyzer tools and a manual review process.
- Compliance Management - More and more legal data protection requirements are emerging, specific to a state or region, like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA). Plus, there is the Health Insurance Portability and Accountability Act (HIPAA). An automation solution provider should be able to explain how they ensure for each customer that they are adhering to that customer’s strictest data security requirements.
- Administrator Access - Managing systems and hardware requires some people to have extra access privileges so they can modify settings when needed. Some refer to this as “root” access. Admin access must be tightly managed and closely monitored to maintain the expected level of security over time. It’s important to understand how an automation solution provider limits access to their test and production environments. Ideally, multi-factor authentication is in use, with logging of all sign-ons and regular access audits.
Be proactive and be informed. Ask questions as you explore new vendor partnerships. Be sure your business and technology teams are partnering early in the exploration process, to complete a 360 degree assessment as quickly and effectively as possible. Information security should be a shared responsibility for everyone in your organization.These cybersecurity and operational security best practices will help you safeguard your data.
To learn about how Ushur uses a proactive and end-to-end security approach to protect clients and arm them with confidence, check out our Information Security Whitepaper, where we discuss our security practices and protocols in-depth.