Raising Security Awareness: Godel’s Approach
Last week, social media giant Twitter was targeted by a successful hack, which compromised the security of many high-profile accounts for scamming purposes. This is an extremely concerning example of an issue that often affects larger organisations when they least expect it: cybersecurity. For companies with Twitter’s level of influence, or others that provide crucial offerings like communications, financial or public sector services, room for error regarding security simply cannot be made.
Godel – a software delivery partner – is a third party which its clients (UK organisations of varying sizes) embed into their software delivery capabilities with a precedent of complete trust. As such, Godel must uphold security as an ultimate priority both internally and in all relations with clients. As the company has grown to a headcount of 1100+ employees, it has matured a resilient set of practices that ensure information security risks remain negligible.
ISO certifications are International Standard Organisation awards that demonstrate the high quality of service and robust systems and processes which Godel have in place. ISO 27001:2013 is given to companies that can show systems and processes are in place to keep information assets secure. Having already held ISO 9001:2008 for its proven level of software delivery quality, Godel was awarded the 27001:2013 certificates. This was only achieved after a long period of auditing and assessment from third parties and independent assessors.
Godel’s security policies are fundamental. They are not layered over other ways of working – they provide a foundation for how Godel employees conduct themselves in all aspects of their roles. These policies describe specifically how employees should work to protect the organisational secured environment and minimize risks. Topic coverage is comprehensive across all physical and virtual matters that can pose security risks.
To support this principle of “security by default”, Godel’s IT department has implemented many security-based technical controls. This is the infrastructure which supports how Godel handles both internal and external (client) data. These established processes make it clear to clients exactly how Godel ensures security.
The biggest vulnerability any organisation has is the human factor, regardless of all these technical controls. Therefore, at Godel employees are highly aware of all practices that ensure secure behaviour. On a regular basis teams undertake in-depth mandatory security training, which is conducted online and offline to ensure full coverage and accessibility for staff.
Each of Godel’s clients has unique requirements that cover security matters beyond what Godel ensures as a standard. So flexibility in its ability to implement specific controls requested by clients – such as certain security checks, network security zones or training procedures – is part of the security protocol at Godel.
Godel works with UK clients, and so must adhere to UK data protection regulations. Its training programmes cover GDPR in relation to how client data must be handled. Data seeding techniques are always preferred, in order to avoid relying on anonymised production data. In other cases, anonymisation techniques are employed to ensure we can work with legacy systems effectively without any risk of exposing sensitive information.
Another training instrument used at Godel is the OWASP Top 10 – an industry standard for developers which covers the top 10 web security issues. Godel’s training modules on the OWASP Top 10 helps its teams understand key security gaps, how they can be exploited and exactly how to avoid them. Teams can then apply and share this knowledge with their clients, collaboratively building more resilient systems.
Real-life security attacks can be unpredictable, challenging and often come in the most least-expected form: that is why they are so dangerous. Policies and training can only cover so much ground. This is why Godel regularly conducts phishing attack simulations and penetration testing of its infrastructure, simulating real attacks to identify gaps in the armour. Developers gain real experience from these simulations which helps them detect and mitigate actual security risks before they become a real problem.