In light of the recent Equifax breach, we wanted to share a few of the ways we keep data safe.
Most hacks and breaches are the result of using outdated software with known vulnerabilities. For example, the hackers in the recent Equifax data breach exploited a known vulnerability in one of the software libraries used by Equifax. The fix for the vulnerability had been available for over two months when the breach occurred, but Equifax had not yet updated their systems.
Deploying frequently with code reviews
We make sure that our code stays current and secure on all fronts. We release software multiple times per week. Every code change is reviewed by at least one other software engineer (peer code reviewed) and passed through QA before it is ever deployed.
Automatically checking for vulnerabilities
In addition to the multiple manual reviews our code goes through, it’s also audited using automated, static code analysis that checks the code for over 130 of the most common security vulnerabilities every time code is updated (And, by the way, the top 10 vulnerabilities account for 85% of all exploits, so if you’re keeping up to date even just on those few, you’re immediately immune to 85% of potential problems). In addition to the security vulnerabilities, the code analysis also checks for hundreds of other common programming errors and best practices exceptions. This removes the human error element and helps ensure that we are not inadvertently introducing problems.
Eliminating outdated software and dependencies
Our code deployment pipeline also automatically checks for and alerts us to available updates for our software dependencies. We want to ensure that we will never be in the situation where we have missed critical updates that have been available for months.
Beyond those dependencies, we regularly evaluate all components of our software and IT infrastructure to ensure that they are still actively maintained, appropriate for our purposes, widely used and adopted, and that the best and brightest software engineers are available and interested to work on projects using those technologies. When one of our components does not meet the standard, we replace it with one that does. For example, several years ago we migrated from using PHP as our primary coding language to using Java. PHP wasn’t able to support enterprise-level projects and attract the best developers. Similarly, we have several frontend technologies that are in their golden years, so we are actively transitioning our frontend to React.
Protecting your data in every stage
We follow the best industry encryption standards for protecting your data. Data at rest (stored in a database) is encrypted using AES256. For data in transit (travelling over the Internet), we use Transport Layer Security (or TLS, which is also commonly referred to as SSL, though technically incorrect). As previously announced, we’re already in the process of removing support for older TLS protocols so that we’ll only support the most current, secure version. We also stand on the shoulders of giants, by using Amazon Web Services to host and store all our data.
We use the latest and greatest methods of password hashing, which is similar to encryption—but without the key to unlock the information. The amount of time and effort involved in order to be able to crack passwords becomes so difficult at this point that it becomes economically unfeasible for hackers to continue trying. Since 79% of cyberattacks are opportunistic, most hackers will simply move on as soon as they encounter resistance.
Using multi-factor authentication and preventing personal vulnerabilities
However, the most common data breaches don’t come from attacking the code itself. They come from attacking people—in 2016, over 60% of corporate data breaches were caused by social engineering—which is why we have even more safeguards in place. All our employees receive regular security trainings, and our employees and all users are required to use multi-factor authentication in order to log in to the background screening platform.
Multi-factor authentication means that just using a password to log into an account isn’t sufficient; users are required to also provide a code that is texted to them, use an authenticator app, or enter a code provided via email. According to Symantec, 80% of data breaches can be prevented simply by using MFA. We also require strong passwords along with regular password changes, as 63% of data breaches involve weak, default, or stolen passwords.
In 2015, cybercrime cost over $400 billion, and by 2019, it’s estimated that it will cost companies over 2 trillion dollars. Don’t be one of those casualties. By choosing Global Investigative Services, Inc., you’re not just using the best background screening software. You’re also taking advantage of our rigorous security practices to make sure you, your business, and your applicants stay safe.