IT security through the eyes of a client: How to choose and check a partner for my type of business?
Safety requirements, restrictions or regulations vary from project to project. It depends on its complexity, or the industry where the partner operates and where it will find its users.
What is this claim based on? Well, over the course of six years, we have had the honor of making a various range of projects with our partners. Banking, healthcare, biometrics, finances, internal information systems, sport… Each of them has taught us something and for the future, it has given us the answer to a question that we would often like to know earlier.
We will look at the topic through questions that could be interesting for the company or entrepreneur. We will try to share a few (we believe useful) experiences.
The questions are answered by CEO Tomáš Lodňan and CTO Marek Špalek.
1. Why should I think about security as a project sponsor? Shouldn't it just be the provider?
Of course, security needs to be considered from the scratch. Data is a new currency, so you need to manage it. Would you leave your savings on the street? Probably not. As the operator, you are responsible for the way the data is managed and, in case of a leak or attack, you will also need to inform the competent authorities and bear any penalties. Therefore, I would not underestimate it at all. However, the provider can be extremely helpful to you, so choose one who has experience with it and can advise you.
2. What is the absolute basis of data security, which I am not moving anywhere at the moment without?
It is especially important to set the process of data acquisition and processing itself to be the least exposed to the possibility of human failure or other external factors.
In GoodRequest, we have adopted this rule: “You need one place where the truth is. And it's on the server. ”Keeping the rule pays off for websites and applications. At the same time, it applies to all projects. Especially for those which are really extremely sensitive to data, such as a bank or clinic. Then other special regulations and rules come into play.
In addition, there are principles about the https protocol, data protection throughout their journey, etc. They aren´t definitely unknown for any serious developing company or freelancer.
3. Isn´t GDPR unnecessary? Why is it necessary and not only essential for websites and apps?
It's definitely not unnecessary. Developers or even users confirm it so many times. Many argue that everything needs to be agreed or approved. However, keep in mind that agreement to the processing of personal data is only the beginning of your "relationship" with the service provider, based on this relationship, it then develops how your data will be handled. Imagine not having to do this and your service provider would take any of your data without your knowledge. Consequence? We've seen a few in the past. Influencing elections, unfair practices, loss of privacy and so on. Therefore, I personally think that the GDPR is perhaps the most fundamental legislative standard in terms of data security in the last 10 years.
4. What about security for websites as well as apps and information systems? What is the difference?
Security always depends on the sensitivity of the data you work with. The bigger security and protection you want to provide, the more your costs will increase. Simply speaking, it is always necessary to consider what risks the easier solution will bring and whether in the context of the project it will not endanger users, the product, or your reputation. So it is clear that if you are making a banking application or system for a clinic, you are working with the highest level of security available. But with a smaller project where you solve e.g. website for your gallery, encryption, secure communication via HTTPS and a normal level of security are enough for you.
5. Are there differences across sectors? Which have the most significant specifics?
Certainly yes. It would be a very long and extensive response if we addressed each industry, one by one. It is therefore best to consult experts. But keep it simple - the more data, the bigger responsibility. The more sensitive data, the greater multi-party requirements. One of them is also the state.
6. How to check the provider? What questions to ask and what answers to expect to check qualification and credibility?
The best by means of references. A trustworthy and serious company does not hide them and they are easy to find. It's a nice springboard for the first survey. However, as they say – you can say what you like on paper and therefore, if you find your "favourite", I recommend asking for specific references and contact to the person who managed the project with the company. Typically it can be a project manager, a business owner, or a product owner on behalf of a client. They can definitely give you the best feedback on the provider himself. Finally, if it is possible from the point of view of the project and its budget, I recommend hiring a company that does penetration tests so that you have the so-called the other pair of eyes to check it all out.
Is the topic of creating websites, applications and access to security in a software company interesting to you? Would you like to know more about how from searching partner, there can be a web or application with millions of users?
Tomáš shared all this in NaRovinu podcast on business.
If you did not find the answer to your question in this interview, or if you have any additional ones, contact Tomáš. You can find his LinkedIn profile right here.
3 months ago