The Cost is Going Up
The cost of data breaches continue to climb, Global Payments which back in the spring reported a data breach in which information associated with an estimated 1.4 million payments cards was stolen, has revealed that expenses associated with investigations, fines and remediation has hit $84.4 million according to Network World.
Could this have been prevented? More and more companies are adopting tools, methodologies and hardware trying to avoid such large data breaches, but they don’t seem to be able stop it.
Could the solution be as low-tech as good old checklists to the hi-tech security problem?
The Use of Checklists
Checklists are being looked at as a very low-tech rudimentary overhead. Atul Gawande wrote an extensive piece in the NewYorker, the article is pretty long but bottom line is that the use of checklists brought down infection rates for I.C.Us in Michigan by 66%, some hospitals like Sinai-Grace Hospital cut its quarterly infection rate to zero.
How many expensive tools would have been necessary to achieve the same result?
Could we achieve the same results as healthcare did?
Developers, arguably like nurses in I.C.Us, have many things to do, and the smallest mistake could lead to an infection in the I.C.U or a data breach in the software. By following a simple checklist carefully designed and customized per each case could achieve astronomical results, pretty close to what Michigan’s I.C.Us achieved. The software industry also seems to have picked up on the trend and there is noticeably an increased demand from our clients to help them build checklists for the following areas:
- Software Security Requirements
- Secure Code Review
- Writing Secure Code
- Security Configurations
Building Your Own Checklist:
There are several resource out there that can help you start building checklists for your own organization:
- OWASP Cheat Sheet Series: Very useful when it comes to generating checklist for secure coding and code review checklists.
- Open SAMM Project: Very useful to identify security disciplines to write checklists for.
- Open Web Application Security Project (OWASP), OWASP Testing Guide v2
- NASA, Software Security Checklists
- Visa U.S.A, CISP Payment Application Best Practices Checklist.
- NIST, National Checklist Program Repository
Security tools, training and secure development are always necessary to avoid data breaches the same as monitoring systems and pulse oximeters are inevitable in the I.C.U. But more monitoring systems and more pulse oximeters are not going to save more lives, a simple checklist did.