Three questions to ask your software providers

Global supply chains, remote working, and digital-first services in Asia-Pacific were mostly underpinned by one common denominator: cloud technology. In the region alone, Deloitte Access Economics forecasts the adoption of cloud services will contribute a further US$160 billion from 2020 to 2024. As economies revive from the COVID-19 pandemic, the cloud—both public and private—will continue to be an essential asset for organisations as they scale and improve business continuity and cost efficiency in the coming years.

On the other hand, rapid digitalisation can be a double-edged sword. The region’s swift improvements in connectivity and consequential widening digital footprint have created additional touchpoints that malicious actors can exploit. In Asia-Pacific, industries dealing with critical and sensitive data—such as banking, telecommunications, and government organisations—are some of the highest spenders on IT security in trying to combat these threats. But whether it’s ransomware or a highly sophisticated and persistent supply chain breach, the entire industry faces a growing, treacherous threat landscape.

Security breaches are incredibly costly and take a long time to recover from. In the past year alone, organisations across six Asia-Pacific markets recorded a 32% year-over-year increase in security breaches, with almost 70% needing more than a week to mitigate the attacks. In the same report, nearly one-fifth (17%) of businesses reported they have more than 50 cyberattacks every week, providing a stark reminder the threat is ever-present.

Though some vendors may choose to swoop in when a competitor faces an attack, no one is completely safe—it takes only one breach for an entire fortress to be compromised. With experts discovering new vulnerabilities every day, IT teams are exhausted by the constant chasing of a moving goal post. This further complicates the selection process of a software vendor, which is integrated into a business’s infrastructure across all levels. This means a vulnerability in a vendor’s software could lead to a cybersecurity breach.

At SolarWinds, we learned hard lessons about the increasing sophistication and pervasiveness of cyberthreats during the Sunburst cyberattack on our software platform by an outside nation-state. To support our commitment to community vigilance and information-sharing, we’ve identified a number of considerations IT and business leaders should take in determining which products to choose. To help minimise risk, here are three things to consider when evaluating your software providers:

Is their technology scalable?

Companies are always changing and growing, adapting to the evolving business landscape. Though an increase in employees is often an indicator of a thriving business, it also presents a greater threat surface for the company. Particularly in the era of working from home, new technology updates and infrastructure changes can create loopholes for attackers to exploit and gain access to systems and confidential data.

To stay ahead of emerging threats, it’s important for the selected cybersecurity solution to continuously evolve with the business network, especially as companies continue their digital transformation journeys. Software vendors should be committed to developing and adapting their solutions to accommodate changes and new features according to business needs, and should proactively consider their own risk levels. An enterprise risk management program is also a valuable tool providing IT managers with a comprehensive overview of risk exposures across numerous departments.

What is their approach to securing the software development life cycle?

Security isn’t a one-stop product—it’s a process. Software vendors need to have an in-depth understanding of cybersecurity and keep a close eye on the constantly evolving threat landscape. Their solutions should be holistic, with an end-to-end approach including monitoring, detecting, and responding to threats across a business’s entire IT infrastructure. This needs to include all endpoints, Internet of Things, networks, and even older devices and applications lacking the updated security of newer ones.

Vendors should also have expertise with your business environment and threat landscape. For instance, a company working within the financial services industry must adapt a distinct approach compared to a food and beverage company. Security solutions do not use a one-size-fits-all approach. Instead, services, methodologies, tools, and consultation should be tailored to the company’s specific business needs.

Businesses might also do well to consider what level of detail a software vendor’s internal processes provide to identify internal threats, including what protocols are in place to handle discovered vulnerabilities and mitigation strategies.

Can they walk the walk?

Even the most advanced technology needs a human touch to ensure everything is shipshape. It’s crucial for vendors to have a team with experience in cybersecurity, and software development and management. Knowledge on the different types of threats and the ability to identify, rectify, and prevent them is integral to any security solution. The team should be able to thoroughly analyse data and provide clear, actionable insights to help remediate and prevent future occurrences.

When considering a software vendor, companies should spend extra time checking industry credentials and reviewing client testimonials of the potential team members. Taking the time at the beginning of the process ensures you get not just the best analysts but the right ones with the relevant industry expertise.

Not “if” but “when”

As the Asia-Pacific region continues to drive digital technology and innovation across all sectors, it’s imperative for businesses to continuously reinforce their cybersecurity measures by evaluating all providers rigorously. The increasing complexity of cyberattacks means executives and business leaders need to ask more of every software vendor they choose.

A case in point is the Sunburst cyberattack on SolarWinds, which was highly sophisticated, well-resourced, and persistent. In response, we rolled out our Secure by Design initiative, and a multifaceted approach including a set of questions that IT practitioners, executives, and business leaders should ask of any software vendor they evaluate.

These questions are designed to help customers identify the right software vendor for their business. With the evolving landscape, companies need to take the necessary preparatory steps for inevitable security issues. Having a trusted partnership with your software vendor enables you to swiftly identify threats and mitigate them as soon as possible.