Digitalization has reached the zenith of worldwide adoption.  Today, colossal businesses, small companies, government institutions,  intelligence agencies and billions of global citizens swarm online for millions of reasons.  From banking to education, shopping to healthcare, dating to data science- all sectors of life have become a part of the trillion-dollar Internet economy.  Data is now the biggest asset but that has led to cybersecurity becoming the newest domain for warfare. This means that precious, personally identifiable data which could cost companies millions of dollars,  cost customers their privacy and potentially drain their wealth, and could cost a nation a geopolitical security threat, is now the backbone of all economic activities. Hence, before you approach a developer to build your mobile applications,  enterprise software or a website, there are some questions about data privacy and cybersecurity that you would stupid not to ask. Here are some to start with- 

1. What security controls or features are your product?  

From a lack of mainstream understanding,  millions of app users don’t think twice about the strata of security that keeps their credentials,  activities, and PII private. Before choosing a developer, ask them in detail about the built-in security features that are deployed in-app.  There are varying controls that developers use, so research on the pros and cons of each and choose the one that is most relevant to your business.  

2. Do you encrypt data?  And can you access our enterprise data post deployment?  

Encryption is a fairly common security mechanism that encodes raw data or text into a string of illegible codes to prevent unauthorized access.  The raw data is only accessible by the sender and the receiver (the party that the source trusts and chooses to send the data to). Encryption is what protects your information when you chat online,  fill in your bank details, add your address to e retail platforms, etc. Your software developer may be able to access your data even when encrypted due to encryption backdoors. Ensure that you and your developer have an honest conversation about who can access your company’s data post the app is distributed.  

3. How does your product mitigate physical security threats?  

In some cases,  the security breach arises not out of hacking,  but instances like losing your mobile phone. Some applications have a timeout operation that requires the user to sign in with credentials again after a preset duration.  This adds extra insulation against loss of data in case someone from your team gets a little irresponsible. Ask your developer about the security measures that mitigate physical security threats.  

4. Does your product have encryption backdoors for lawful access by federal authorities?  

The majority of cybersecurity professionals stand against the need for federally mandated encryption backdoors that allow government parties to access your data as and when lawfully required.  But while these encryption backdoors may be coded for federal parties, it is technically impossible that they will not be discovered by hackers and misused. If there is no encryption backdoor,  users’ privacy is maintained and is not vulnerable to breaches. Find out what is your developer’s stand on this federal mandate.  

5. What techniques do you deploy to secure vulnerable data?  

After you have gained an insight into how your developer protects your digital infrastructure,  learn more about the techniques they deploy within the product. Some techniques are- 

File-level encryption is a tool that works on a file-by-file basis, and it is useful for protecting data at rest.

Containerization is a type of virtualization strategy that creates separate containers at the operating system level, which can be encrypted, and it is a viable alternative for securely storing data and documents.

Data federation is a security measure for decentralized storage of data that spreads out critical resources across numerous serves and operates using a database that contains metadata about all the remote data. (From https://resources.infosecinstitute.com)  

Apps that require Personally Identifiable Information (PII) should have an added layer of security and these credentials should not be stored on the user’s device locally,  but on a secure server that connects securely to the app. Tools like VPN, SSL, and TLS are handy in protecting from local attacks such as those that arise from insecure, often public wifi networks.  

6. Where is my enterprise and customer data stored?  

Your data may be stored on-premise or in physical storage spanning multiple servers.  In applications that don’t require sensitive and personally identifiable information, your data is stored in the app on your device itself.  Depending on your business, your enterprise data and that of your customers could range from not vulnerable to extremely vulnerable to attacks (such as in case of banking or trading applications). Review the risks and make a decision regarding data storage that suits you best.  

7. What recovery features can help my business in case of an attack or data breach?  

Recovery features could range from automated backing to another server so that if your central infrastructure is compromised,  the data isn’t completely lost, to immediately taking your product offline when the first alarm of a potential breach is raised.  There are a lot of ways in which developers can build recovery features that downplay the potential damage by hackers, so educate yourself about these before your app’s development process begins.  

Before you hire a software agency or a developer to build your web/mobile or software application,  make sure that you understand all the nitty-gritty of the infrastructure that will soon be adopted by all your customers.  Their privacy should be a primary concern of your business hence it is essential that you leave no stone unturned in building a secure,  uncompromising experience for your customers. At West Agile Labs, your privacy is our top concern.