The recent SolarWinds security breach highlights the growing threat of unauthorised data access in our interconnected world.
The latest cyberattack went undetected for months and spread to thousands of clients. Hackers were able to spy on Fortune 500 companies such as Microsoft, Intel, Cisco and Deloitte. Hackers also found their way to the US government departments, including Homeland Security, Treasury and the National Nuclear Security Administration.
Hackers created backdoor access and installed malicious code into the SolarWinds Orion system that manages IT resources. When the company sent out regular updates, it unknowingly included the hacked code.
Each customer’s IT system was monitored remotely and additional malware was installed to facilitate spying.
Always prefer a team with strong in-house technology
The scale and seriousness of this breach are unprecedented; most likely, it will lead to a complete change to network security management in the future.
When researching your data security options, consider relevant risk factors closely. Look for a partner with a solid in-house technology team and a genuine commitment to maintaining industry standards.
At Velotrade, we maintain a team of IT and System Development professionals to support its technology infrastructure. We continuously manage software updates so that our clients are fully protected against data breaches.
APIs: Opportunities and Threats of greater online connectivity
The landmark SolarWinds hack points to an everyday issue faced by organisations of all types. When rolling out new services to boost online business models, here are the pros and cons of using third-party APIs. APIs (Application Programme Interfaces) offer universal connectivity that makes the process more accessible than ever.
Companies in all industries can now implement applications from third-party service providers. Retail, banking, financial and B2B service providers can all speed up developing a comprehensive range of services.
Yet, APIs also make it easier for hackers to find an access point to any computer system. What is more, if much of your customer interaction takes place online – the risks can be critical to the survival of your business.
What if you don’t manage your 3rd-Party APIs
Organisations are reliant on 3rd-Party Service Providers as they adopt new technologies. Among other benefits, API connectivity speeds up the development of an effective online presence. However, it also increases the exposure to risks linked to automation.
For this reason, 3rd-Party APIs must be carefully managed to avoid significant risks. Such risks could be:
- loss or theft of personal data
- data protection violations
- issues with money laundering and terrorist financing, especially for banks
These risks are compounded by the recent increase in remote working, which means that staff may connect to company networks from insecure locations.
Other dangers include:
- the widespread growth in phishing attacks
- and the persistent nature of human frailty: it just takes a single click on an infected file attachment to potentially compromise an entire company network.
Mitigate data risks – HOW?
To mitigate these threats, an effective 3rd-Party Risk Management Programme is essential. Every organisation should start with an inventory of each supplier’s technologies and an assessment of their risks.
The next step is harder: getting each supplier to toe the line. For financial institutions, full compliance with GDPR or PSD2 regulations may be a sufficient incentive. However, a great deal of careful checking is still required to ensure that all APIs meet strict requirements.
At a minimum, you will be aiming to:
- Block injection of untrusted data via APIs. Eliminate any opportunities to execute unintended commands or access data without proper authorisation.
- Ensure correct authentication and session management. Avoid compromised passwords and unauthorised system access.
- Avoid sensitive data exposure. Clouds and applications help protect all customer’s data (customer identity, credit card, et al..).
- Correct broken access controls. So hackers cannot take advantage of user accounts to access sensitive files and modify user data or change access rights.
- Avoid security misconfiguration. All operating systems and applications must be securely configured and updated in a timely fashion.
- Check all systems for known vulnerabilities. Regularly update your system to protect from known risks that may undermine application defenses.
- Ensure comprehensive logging and monitoring and incident report tracking. Without careful oversight, attackers gain unimpeded freedom to tamper, extract and destroy data.
The Future: APIs and Businesses
While the above list may seem daunting, there is no alternative to careful, controlled system security – especially when 3rd Party APIs increase the complexity of ensuring data safety within your organisation.
Today, online businesses aim to be FinTech players in their own right. It translates into managing online transactions and handling customer funds. However, this new level of risk and responsibility is spread across almost every sector. These online businesses could quickly become the range of targets available for bad actors to try and defraud.
The usage of APIs is increasing. Software is getting more complex, adding additional sources of uncertainty. The growing level of uncertainty about potential loopholes in undermanaged systems can ruin an organisation of any size.
With SolarWinds illustrating how the risk of cyber-attacks is becoming more worrying, the choice of a well-matched technology partner is more important than ever.