#HowTo Evaluate the Security of New Applications

Written by

When work from home mandates were first announced due to COVID-19, many businesses were forced to accelerate digital transformation agendas overnight, making quick technology decisions and standing up WFH-friendly infrastructure as rapidly as possible.

As folks transition to the WFH life, one of the biggest adjustments is the change in environment. Your work station at the office is no longer accessible and your colleagues are gone, replaced by children, significant others, pets, or roommates.

To offset this, organizations have adopted new technologies at rapid rates to ensure that employee collaboration and productivity remain at peak performance, from video conferencing and instant messaging apps to VPNs and other corporate infrastructure needs.

It is now more important than ever that business leaders take the steps necessary to ensure the speed of their very unique digital transformations doesn’t expand their attack surface and provide easy entry points for attackers to exploit. Every new technology, if not vetted properly from the point of implementation and updated regularly, can leave critical business assets and devices vulnerable to attack.

To ensure this doesn’t happen, every new enterprise application should be evaluated and prepared the same way endpoints are. Your security team wouldn’t provide a new laptop to employees without first taking care of baseline security measures, so why should new applications be any different?

While the situation is different based on the type of application and an organization’s infrastructure, following are some of the baseline actions that enterprises should be taking to ensure that new applications meant to increase employee productivity aren’t leaving the organization vulnerable and uncleanly from a cyber hygiene perspective.

Evaluate security settings

While it may sound simple, the first step security teams should take before implementing any new application is to take a look at what default protection configurations come with the technology. Default protection is not universal for each organization and every security setting should be vetted before introducing it to employees.

This means doing a full audit of what’s possible from a security perspective. For example, is 2FA enabled? What tweaks need to be made to the default security settings? Is there an option to password protect certain abilities or actions within the platform?

Following a thorough audit, the business is then able to best establish the settings that users need to have configured based on their role, access to information, and other factors.

Set user limitations

Once the right security settings for a given application are established and implemented, it is important that only authorized individuals can adjust them to make sure apps remain as secure as they were when originally deployed.

To ensure this, only those who need administrative privileges should have them. Other users should only have limited access based on their roles within the organization, limiting those who can adjust important settings and configurations to keep the apps running across a fleet of endpoints universal.

Establish an Inventory

Across the organization, all devices and programs need to be documented and inventoried, from roaming devices to third-party applications. It may sound simple, but you simply cannot manage what you don’t know is out there.

By having a clear picture of the devices and related software on a given network, IT and security teams are able to identify which systems check the right security boxes and those that need to be updated, helping prioritize efforts and workflows accordingly.

Prioritize Endpoint Security and Regular Security Updates

It’s no secret that endpoints are a key entry point for attackers, making proactive endpoint hardening a crucial element of any cybersecurity strategy. This includes important functions like patching devices and software quickly and effectively. By proactively doing so, organizations are able to remove vulnerabilities before exploitation and minimize the enterprise attack surface.

Just as IT and security teams update endpoints based on updates that come out of Patch Tuesday each month, third-party application patching is just as important. Any and all pieces of technology need to be patched as soon as new vulnerabilities are disclosed, including the collaboration and other apps that businesses increasingly use to stay connected across disparate workforces.

Do Your Due Diligence

The fact that new technologies are being implemented by organizations to ease the WFH shift is the right decision. All these new technologies are pivotal in playing a role in how folks work, collaborate, and ultimately deliver value to customers.

However, it’s more important than ever that businesses only roll out applications that check the boxes from a security perspective and if not, put the right processes in place to secure the tech their employees are interacting with on a daily basis.

The bottom line? The new tool that the leadership team is so eager to implement across departments may help employees work better together and deliver results, but you should never trade convenience and speed over security. Find the right balance by properly evaluating and configuring each technology before deployment. You’ll be glad you did.

What’s hot on Infosecurity Magazine?