Honestly, the sheer scope of the threat landscape can be quite daunting. When you’re building solutions for emerging technologies, there are potential risks in all aspects of the product – from the components and firmware that go into devices, many of which come from third-party suppliers, to applications that might run on a user’s PCs, tablets and phones, to the cloud backend they all communicate with. All of these are targets for attackers, and therefore present potential security risks to customers and their data. Any breach has the potential to impact Lenovo’s reputation.
Creating leading products in emerging technologies will mean nothing if our customers can’t trust them.
There’s no question that the number of cyberattacks increased during the pandemic. You may have heard about video conferences being infiltrated because the correct security controls weren’t in place. There have also been breaches reported where remote employees were targeted because the employee’s PC or remote access was not properly secured.Phishing is also an ongoing, growing problem. Employees are working from home at all hours on networks or PCs that might not be properly secured, making phishing an even bigger problem during the pandemic.
Training is key to building security into software from the start, and not just for security professionals. Everyone involved in product development should receive security training to ensure they understand why it is important and how it can be integrated into all phases of the development process.Starting with design, we do things like threat modelling, and then integrate more security best practices through development and release. Once security becomes part of the development teams’ culture, it benefits everyone. The product team has fewer security issues to deal with, the security team has more confidence that the development team is doing the right things, and customers are more confident in our solutions.
Relying on a single or very limited set of tools. For example, having a firewall enabled does not automatically secure your Cloud service. Also, assuming hosting a solution on AWS or Azure automatically makes it secure is a common pitfall. We’ve seen news of so many data breaches occurring simply because businesses did not properly configure or secure the data stored in the Cloud.“Defense in depth,” or multi-layered security, is important. For Cloud security, processes and controls should cover many different aspects, from pen testing to code reviews to configuration and vulnerability management, to name a few, are all important parts of a complete security program.
While we have implemented security into all stages of our development processes and continue to evolve and improve, it’s no longer enough to say to customers “trust us.” Customers are much more security-aware than ever before and are asking very pointed, detailed questions about our security practices and controls. By working together, we stay on top of the latest threats and continuously strengthen our security program.
Privacy is a key consideration when dealing with the capture and processing of voice input. We want to make sure we’re capturing voice input at the appropriate time -- when users expect it -- and ensure any processing of the voice input in the Cloud is done securely.
Again, we need to make sure customers can trust our solutions and with the many wide-ranging privacy regulations in place around the world, it is important to make sure we’re handling customer data securely.
To hear more from Igor, keep an eye out for his new podcast episode on Pragmatism in practice.
Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.