By Igor Tkach
Data security is one of the deepest concerns of business owners who are looking to hire remote developers. Still, many people perceive security measures as a bureaucracy or even an obsession, because they see no point in over-scrupulous guarding against something that has never happened before. However, don’t take it for granted – you never know when your sensitive data can run into a real threat.
I’d like to share my experience and help you ensure your data protection. It will be especially useful to the companies that work with teams distributed among versatile locations.
There are two main directions of data security — preventative measures, which minimize the possibility of data damages, and reactive measures, which determine what needs to be done in case of an actual information security incident.
Information Security starts with the physical security of the office and network.
The office that houses development teams working with customers’ data should support an acceptable level of physical security — surveillance cameras, access control systems, etc., as well as the technical part — a secured network in the office.
So when you’re starting to collaborate with a new vendor, don’t forget to ask them a few directive questions about network security in advance:
- How is the network built?
- What WiFi networks are there?
- Is it possible to create VLAN (a local network) for a team, so that other teams don’t have direct access to it?
- Do you have guest access and how do you enable it?
- Do you store any data at all?
- Do you store all the data in your server room or in a cloud?
All of these questions will help you realize how seriously the company perceives security. Don’t panic if you’re a first-timer in network security, the company has to be ready to answer all of your questions. If they say they can’t provide answers due to confidentiality restrictions or other reasons, it’s a direct sign to reconsider your collaboration.
A lot of companies use “one infrastructure” approach and keep all their development teams working in one infrastructure. In such a case, you have 100% control over all processes and data with no exceptions and have no dependency on your vendor at all, even though it’s your most trusted partner.
The administrative part — the processes, procedures, and policies ensuring information security.
The company needs to have a well-organized security system starting from the office access permit ending with the rules of conduct regarding emails, workstations, software installation, and upgrades.
1. Well-Defined Incident Management Plan (IMP)
An incident management plan determines the sequence of operations in case of any extraordinary situations. For example, someone has stolen the data, there was an information breach, data leakage, or one of the office devices contracted a computer virus, etc. Also, each company should have a business continuity plan in case of other emergency situations, such as flood, fire accident, power or Internet cutoff, or any other incidents that can harm the company’s usual operation.
Beyond that, outlining and discussing all of the procedures is only 30% of work, while the main part is educating all the company’s employees on how to comply with the rules of procedure.
This training may vary depending on the employees’ positions. Most of the administrative personnel aren’t obliged to know how developers should deal with the client’s data in the production process. Thus, the relevance of security education is also an important part of effective incident management. New employee orientation is another crucial part of a company’s security. As soon as a new person joins the company, they need to get through instruction on all of the key rules on the very first day.
To check the vendor’s readiness to manage incidents, ask them:
- What are you doing if one of the office devices contracted a virus/or a virus encrypted a computer?
- Do you have backups and what is your recovery plan?
2. Adherence to the Principle of Data Minimization
I recommend not sending the team more information than they need at their current stage of work. For example, if the team is working on one product development, it’s not necessary to provide them with access to the repository of another product that is next in the queue.
However, if it’s not possible to avoid data sharing, I recommend signing a data processing agreement between the parties that have access to this data — clients and developers.
3. The Settled Politics of Password Changes
The company should have a defined procedure of password change — first, by their complexity, and second, by the frequency of their change.
4. Minimization of Printing Information
Printers are the main sources of confidential data leakages in the offices. Thus, the use of this office device should be monitored carefully. Don’t provide access to a printer to employees who actually don’t need to use it personally and minimize printing documents/materials as much as possible. Besides information security, it’s also a good input into environmental protection.
5. Define Bring Your Own Device Policy (BYOD)
It’s not a secret that everyone now has their personal gadgets starting from smartphones, which have become more powerful than a computer, to tablets, laptops, and so on. In this perspective, it’s important to make up your mind — allow using personal devices for work-related purposes or limit employees to office equipment.
If you lean toward allowing personal devices, think over a policy that will regulate their safe use with no harmful consequences for the company’s data.
There are specific software that limit access to data on personal devices exclusively. Also, in case developers work with sensitive data (like personal information), your policy can include regulation of USB ports on personal devices — they can be disabled with the help of specific programs, ensuring developers won’t be able to use memory cards while working with private data.
Reactive Security Measures
Reactive security measures include operations performed by the company after it has already faced data leakage or other damages that prevent the usual workflow. In practice, such preventative measures as incident management and business continuity plans are applied as reactive security measures.
Thus, the preventative information security measures are tightly interconnected with the reactive ones. I’d also recommend companies that care about security to maximize efforts on the development and support of preventative measures. This way, you’ll ensure that you won’t have to implement the reactive ones at all.
Keep a healthy balance between the cost of security and the cost of its absence.
However, if you’re dealing with personal data, Public Sector Information, healthcare data, intellectual property, personal data, financial information, naturally, you should apply the maximum possible protection measures. If it’s the development of a simple app, there’s no need for very expensive security activities. So it all comes down to realizing how critical your information is and which data protection methods are reasonable in your particular business situation.