Critical Security Considerations when Assessing Knowledge Management Software
According to a study by IBM, the global average cost of a single data breach amounts to $3.86 million. That is an average of $148 for each lost or stolen record containing sensitive and confidential information. This stat highlights the difference between products built for small teams and products built for enterprises. Although no product or service is fool proof, there is a significant difference in risk exposure with enterprise products that made major investments in security infrastructure.
When a data breach costs your company millions of dollars and your KM platform houses business-critical information, is reliability and security something your organization can afford to cut corners on?
This article is going to give you an overview of key security considerations, the key costs involved in enterprise security, and help you ask and validate the right questions during the vendor discovery process.
An insecure KM Platform can severely damage your business
Losing a large amount of money due to a security breach is one thing, but arguably worse is the long-term detrimental effect this can have on your business.
Let’s revisit what a data breach really means. While there are nuances and different levels of severity, such breaches boil down to the following:
1) Internal documents are leaked to the public
Worst case, sensitive customer data is exposed to the public. Once that happens, there is no way for you to contain the damage as the data gets distributed on the Internet. But even if it’s “only” internal process documents or procedures that are leaked, the damage is considerable. Think of how competitors can use this information to their advantage, getting inside information about your internal processes.
2) Content gets deleted
Instead of publishing content from your hacked system, attackers may opt to simply delete it, causing havoc to your operations. Imagine your customer support agents suddenly losing access to the most valuable information they need to assist your customers effectively. While any good SaaS provider will have backups to reinstate your content, this will take some time. And what if the attackers were able to reach those backups as well?
3) Information is falsified
A more subtle way your organization can be adversely impacted is the possibility of internal information getting falsified. This may lead your support agents to provide incorrect answers to customers. Even worse, imagine procedures that have been tampered with that may open a whole new entry point to the attackers.
Here is a summary of what a security breach can eventually result in:
- System outage stops effective customer support
- Allow attackers to gain access to any of your corporate system due to the leaked information
- Competitors can steal business critical information
- Private and sensitive employee and customer information is exposed
- Customers lose trust into your organization
Key considerations regarding your KM platform’s security position
Here are the main aspects of SaaS security that you need to consider:
- Application and data center security
- The vendor’s organizational controls
- Has your vendor invested in security
Application and Data Center Security
Knowledge management applications and the underlying infrastructure needs to be secured in accordance with industry best practices. This includes:
- Data Encryption at rest with regular key rotation
- Enforced encryption in transit, limited to the latest and secure versions of TLS/SSL
- Secured access controls, ideally with Single Sign-On (SSO) capabilities
- A properly configured Intrusion Detection and Prevention System (IDS/IDP) with real time alerts
- Continuous monitoring on infrastructure to avoid the introduction of security loopholes
- Availability of audit trails and system access logs
- Data replication across multiple data centers including frequent backups
Vendor Organizational Controls
The other critical aspect of your KM platform’s security considerations are the vendors organizational controls. These may arguably be even more important since it doesn’t matter how secure the technology is, if your vendor can’t properly control the change management process or which employees can gain access to customer data. Consider some of the following minimum organizational controls that should be in place:
- Strictly limited access to production data and with controls in place to enforce this.
- Audit trails on system and data access as well as configuration changes.
- Access control to all vendor systems.
- Physical security, including security cameras and office premises with physical access controls in place. If the vendor’s team is distributed, e.g. how do they ensure the laptops aren’t tampered with?
- Security of devices, such as laptops, and Internet access points. Like the previous item, this also becomes especially important when the vendor is working with distributed teams.
- Effective code security controls to avoid malicious code gets released.
- Change management processes that ensure the reliability and consistency of the platform and infrastructure.
- Disaster recovery and business continuity plans that are regularly tested.
Vendor Security Infrastructure Investment
And finally, the vendor actually needs to invest resources, both time and money, in order to implement and properly maintain the relevant security measures. Having enterprise security is a commitment and investment from a vendor in core security infrastructure. This infrastructure is part of the cost that is passed onto the customer, which includes:
- Up-to-date and reliable data backups
- End-to-end encryption is applied
- Continuous system monitoring is applied, supported both by state-of-the-art tooling and highly trained people
- Data replication across multiple data centers is performed
- Enterprise SSO options are available to support your growing organization’s access controls
- Detailed audit trails are available with appropriate data retention strategies in place
Security infrastructure is expensive and requires a great deal of overhead. There is no possible way to set up and run such an infrastructure for a few cents per user. If you’re getting quoted a price that’s too good to be true, then it’s just that, too good to be true, and vulnerable to security breaches.
When you suspect there may be gaps in the security infrastructure you’ll need to ask some good questions.
Questions you should ask your KM vendors
Given the risks that your organization may be exposed to, you might want to consider asking some of the following questions to verify the vendor’s suitability for the job at hand, namely keeping your important information safe and secure at all times. These questions include:
- What does the organization’s control environment look like?
- How is internal and external communication and distribution of information organized?
- Does the organization perform regular risk assessments?
- What monitoring activities are in place?
- What are the control activities being performed?
- How are logical and physical access controls enforced?
- How are system operations organized to ensure security and reliability?
- How is the change management process implemented and controlled?
- What risk mitigation procedures are in place?
- How does the organization ensure the system’s availability?
- How does the organization ensure the confidentiality of data?
- Are real-time and historic metrics availability that prove the system’s uptime and latency?
How can you trust what your vendor tells you?
So, you’ve asked all the important questions and maybe had your internal IT security team verify that the answers were indeed satisfactory. How can you be sure that the provided answers are actually representing the reality and the KM platform is truly as secure and reliable as promised?
While you could go and attempt to audit the vendor’s systems and organizational controls yourself, it is way more feasible to rely on security certifications that are audited by an independent auditing agency specializing in IT Security.
There are various such certifications. The most commonly accepted certification for SaaS vendors is the SOC2 Report (Systems and Organization Controls Report). If your vendor can provide an audited report, you can rely and verify that what is being claimed is actually and effectively in place.
Does your company rely on vendors to process and safeguard your sensitive data […]? SOC 2 reports cover controls such as security and privacy and may be used by leaders in internal audit, risk management, operations, business lines and IT, as well as regulators. – PwC on SOC2 Reporting
If your vendor can’t provide an audited security report or merely provides a self-certification, that means you can’t be certain that the KM platform is actually reliable and secure.
In the end security costs money.
If a data breach could cost your company millions of dollars and your KM platform houses business-critical information, is it even a consideration to cut corners on an insecure solution?