Software development companies, like businesses in virtually every other market, sustained a significant impact from the COVID-19 coronavirus pandemic when it hit the U.S. midway through Q1 2020. Companies with team members who, at least occasionally, worked remotely, may have had some tools in place to continue operations during the shutdown, but teams that were accustomed to working together in a single location had to adapt to becoming suddenly dispersed.
Rob Juncker, SVP of Product, Research, Operations and Development at Code42, says the experience of collaborating at a distance has been an eye-opening experience in itself, but it has also given software developers a new appreciation of how important it is to protect their data.
How is an increased use of collaboration technologies during the pandemic changing the way companies think about data security?
Juncker: In the development world, we use a multitude of technologies to enable things like product roadmap planning, agile process management, build tools, artifact management, test automation, pipeline automation and CI/CD tooling. When we all transitioned to work from home, we had to federate these technologies further outside of our software development world as well as further enable them for effective remote collaboration.
In taking these steps, our tools became accessible to more people than they were in the office. Furthermore, collaboration by our entire team requires us to keep tools more up to date with communications about business strategy, direction and execution planning – things we handled differently in the office. Using our tools in new ways puts the information and data we are sharing within our tools at greater risk for unauthorized access and data exfiltration.
How do collaboration technologies create security vulnerabilities?
Juncker: While collaboration technology has made it easy for employees to share files legitimately, it’s also made it easier for them to be tempted to take, or accidentally leak, data. We are all working together, collaborating and using tools that allow us to do our work in the fastest way we can. This means we are often taking code, product roadmaps, or strategic direction and sharing them in tools where common access is much wider. In the past, I might privately discuss a product roadmap or a technology with a small group of scrum masters of architecture teams, but now those conversations have moved to tools like our Wiki’s, ticket tracking systems or product roadmap collaboration sites. This means more people have access to sensitive information. That’s why it is more important than ever for our security technologies to reliably surface the data and files that are being shared internally and externally, whether unintentionally or maliciously. The speed of detection and response to data loss, leak and theft are critical to business continuity.
Has hacker behavior changed as a result of the pandemic?
Juncker: Definitely. It makes phishing easier. People can more easily fall victim to clicking malicious links than they might if they were in the office where they could get quick validation about suspicious emails from colleagues. Instead, employees are now drawing heavily on their past security awareness training to make the right decision as to whether an email is legitimate or malicious.
What can software developers do to protect their data, their IP and their teams?
Juncker: First, don’t stop innovating! Hackers are preying on people’s fears and anxieties – don’t let that fear also destroy your motivation to push the envelope, innovate and expand your IP. Second, take an inventory of your systems and make sure you are taking reasonable steps to secure them. Validate that your security team has visibility to the applications your dev team is using so they can partner with you when data is put at risk. Finally, add data security technologies that give full visibility to file activity happening on endpoints, on- and off-network, in the cloud and on both sanctioned and unauthorized apps. This visibility is critical to proactively finding risks and spotting risky data movements. This is no time for the inside to be security’s blindside.
