Mounting a strong defense against cyber attacks

Balancing security and user-friendliness

Increasing digitization and networking create decisive advantages, but the threat of cybercrime is also rising. However, companies can be proactive against this threat. Learn how to protect your systems from attacks and what measures you should take to secure your data and that of your customers. Here we will provide valuable tips and advice here on how to improve your IT security and protect your company from the negative consequences of cyber attacks and related business risks.

According to the Allianz Risk Barometer 2023, cyber incidents are the number one most important business risk for companies, ahead of any other negative impact such as business interruption or macroeconomic developments. These figures and statistics make it clear that cybercrime is a large and growing problem. It is therefore crucial that companies and organizations take appropriate measures to protect their IT systems and data from cyber attacks - internally and externally. In addition to denial of service attacks (DDOS) and criminals extorting money, disgruntled employees may also attempt to damage data or sabotage systems.

Cyber security as an ongoing process

Protection against cyber-attacks is an ongoing process that is crucial for all types of companies. Technical measures and optimization of organizational processes can help guard against attacks. These include regular reviews of data backups, anti-virus scans, encryption and key management, and evaluation of additional security measures.

Information security is therefore a time-consuming issue for companies that must be addressed on an ongoing basis in order to be able to counter the constantly changing forms of attack. This is where management systems in the "Software as a Service" (SaaS) model can play an important role. The big advantage of SaaS solutions is that the solution provider is responsible for security.

This is because in this model, the software is licensed on a subscription basis and hosted centrally by the provider, rather than installed and managed at the company premises. But can a vendor and its solution provide the necessary security? Companies should clarify several questions when evaluating new software to ensure that security requirements are met.

The SaaS model brings many advantages for companies, because the software provider vouches for the required security precautions, updates and support.

Security covers the entire software lifecycle

Security should be included in every step of the software development and not only at the end of the development. During the analysis, the development of the concept and the architecture, the elaboration of the user requirements and later the effective development and testing, security should already have a firm place. If a solution provider adheres to the "Secure Software Development Life Cycle", it can be assumed that security has been included in the solution development from the very beginning and that it is therefore well equipped to fend off attacks.

By adhering to the Secure Software Development Life Cycle, it is also possible to comply with the new data protection regulations "Data protection through technology and data protection-friendly default settings". This is of great importance for companies, as it helps them to ensure data security and data protection for their customers and thus also gain their trust. A proactive approach to cybersecurity in software development can thus not only help improve security but also become a competitive advantage for companies.

Measures against cybercrime

There are a variety of measures that software developers and vendors can take to secure their applications against cybercrime. One basic measure is to implement encryption technologies to ensure that sensitive data cannot be viewed or stolen by third parties. The technology that can meet most regulations and standards is end-to-end encryption at rest and in transit. It is ideal to use subprocessors to handle personal or confidential data, or to bring your own key and your own encryption means.

In addition, developers should strengthen user authentication, for example by implementing multi-level authentication processes such as two-factor authentication. In this way, they ensure that only authorized people can access the application.

Another important protection mechanism is to continuously monitor the application for potential vulnerabilities or attacks. This can be done using automated monitoring tools that detect suspicious activity and send notifications to the security team. This approach uses "security in layers," since humans can test and improve software, and a firewall can deny access to the software if a request comes in that doesn't fit the pattern. In case of conspicuous patterns, an expert has to assess and initiate measures.

Another measure is to regularly train employees to make them aware of potential cyber threats and teach them how to recognize and respond to suspicious activity.

Finally, it is important to regularly update software to close potential vulnerabilities and security gaps. However, updating should be done carefully so that it does not lead to compatibility issues or other glitches. Overall, software developers and vendors should implement a comprehensive security strategy that works on multiple levels to protect their applications from cyber attacks.

Online portals and web applications are a must for companies with direct customer contact. However, because of their availability on the Internet, they need to be specially protected against cyber attacks.

Security in software operation

IT operations has the task of making software available to an appropriate extent and operating it without disruptions. Modern systems and platforms are mostly web applications with access via the Internet. This means that the servers must be protected accordingly. This requires concrete specifications as to who is allowed to access and administer the system, a process for handling malfunctions, etc. Preventive measures such as logging user and administrator activities prevent possible data manipulation. Granted authorizations should be checked regularly and adjusted if necessary.

If a software vendor brings such standards and security requirements into the business relationship, it is an assurance to companies that the solution is being operated properly.

Dedicated security team

An internal security team in a software company is critical to ensure application security. One of the main selling points is that a dedicated team is able to stay on top of the latest knowledge about the latest types of attacks.

The world of cybercrime is constantly changing, and there are always new threats to watch out for. If an internal security team receives regular training and stays informed of the latest developments, they can respond effectively to these threats. Measures can be taken proactively to protect applications against attacks. Test environments in which periodic tests are performed on an ongoing basis, support for emergencies and, of course, training are all part of the process. For example, if employees are poorly trained, settings in the backend or on the server can be misconfigured, enabling attacks.

A dedicated internal security team is also able to respond quickly to threats. When a threat occurs, they can act immediately to minimize the impact on applications and systems. This can help ensure that vulnerabilities are quickly remediated before major security issues or even business outages occur.

In addition, a software vendor's internal security team can work closely with other teams. This ensures that security issues are addressed at all stages of the development process. And this, in turn, helps ensure that security vulnerabilities are avoided from the start and that applications are developed securely from the ground up.

Balancing security and usability

More security often means more steps and barriers for users. A software vendor must be able to balance this trade-off. There are now advances in user authentication that can contribute to this balance such as two-factor authentication.

Here, an additional code is sent to the user's smartphone. They have to enter this code to authenticate themselves. This increases security without creating additional complexity for users.

Another example is biometric authentication, such as Face ID. This uses the user's face as a biometric factor for authentication. This is not only more secure than traditional passwords, but also easier to use. Provided that the protection of biometric data is guaranteed in accordance with the new data protection laws, the “DSG” in Switzerland and GDPR in the EU, optimized security and good usability can thus be combined.

Data protection

Data protection laws in the European Union (GDPR) and more recently in Switzerland (nDSG) have been tightened to reflect technological and social developments. Data processing must become more transparent and people's control over their personal data must be protected. Companies that process sensitive data must ensure that their IT systems offer a very high level of security, even if this data processing is outsourced to Switzerland or abroad. It is also about avoiding potentially high fines and reputational damage due to data breaches.

Companies are responsible for protecting the data or verifying that the data is adequately protected by the management and processing software. Nevertheless, a good software provider can be recognized by the fact that it feels an innate responsibility to protect its customers' data with secure solutions and that it can also advise its customers in this area. On a contractual level, a good software provider will offer all the necessary guarantees (data processing contract, legal guarantees, contractual clauses, certification) on its own initiative, so that the customer can have confidence in these points.

Companies are not powerless against cyber crime: the right software partner can maximize a software's resistance to attacks.

Companies are not defenseless against cyber attacks

Web applications are a gateway for classic hackers. However, there are many useful measures to avoid being passively exposed to these attacks. Security integrated into the entire software development and lifecycle and at all levels with a mixture of human and computer-controlled measures is most effective. A cloud-based SaaS solution takes the burden of implementing these measures off companies so they can focus on their core business. 

Talk to our experts

Peter Kohler

Chief Information Security Officer