FIVE SECURITY QUESTIONS TO
ASK YOUR CAFM PROVIDER
David Cornish, development manager at Urgent Technology, explains why FMs
must be aware of the security risks that come with new CAFM technology
Facilities managers have a
multitude of responsibilities,
from the basics like keeping
buildings operational, safe and
compliant to working together
with the IT and HR departments
to futureproof the business. This
is where computer-aided facilities
management (CAFM) systems
come in. CAFM software help
organisations by improving the
visibility of their maintenance
and asset data, enhancing their
reporting capabilities, and
providing multiple stakeholders
with the ability to share
information in real time.
However, FMs must be vigilant of
the risks that come with these new
benefits. Naturally, CAFM systems
store data that is both sensitive and
business-critical, while that information
can now be accessed by a large number
of users and via a wide range of portals.
Mobile technology, for example,
has transformed the end-to-end
maintenance process by improving
contractor response and repair times,
but it has also heightened the risks
6 FACILITIES SHOW DAILY JUNE 2018
around data theft.
While CAFM platforms tend not
to hold individuals’ data, such as
bank account details, they often hold
commercially sensitive information that
could negatively impact a business if
it were to be hacked. Data needs to be
protected, so it is important to know
that your CAFM provider is secure
enough to manage this.
To keep your company and your
data safe, here are five fundamental
questions you should ask your CAFM
provider when assessing their security
provision.
1. Do they conduct regular
penetration tests against their
platform?
As a minimum, your CAFM provider
should conduct penetration tests
against their platform on an annual
basis. One strategy is to hire friendly
hackers – also known as ‘white hat
hackers’ – to attack the platform and
attempt to access, steal or corrupt data
they shouldn’t be able to reach. If the
hackers are successful, they provide a
detailed report on how exactly access
was gained and how the application
may be breached in the future,
outlining any faults of weaknesses.
2. Are they encrypting sensitive data?
It’s important to ensure sensitive data
is protected and understanding the
difference between encryption and
hashing is a good start. Encryption
is a two-way process, which makes
it possible to reverse. It’s useful for
storing sensitive items, such as access
to customers’ external systems, but
should not be used to store passwords,
which should always be ‘hashed’.
Hashing is a security mechanism
whereby a set of one-way mathematical
calculations transform a plain text
password into seemingly random
characters. This prevents anyone from
seeing the original text, which makes it
ideal for storing passwords. By hashing
passwords, even if somebody were to
infiltrate the system, your login details
will remain hidden.
3. Are they hashing and salting?
Hashed passwords are essential when
it comes to sensitive data. The bottom
line is, regardless of the system, if you
create a password and a vendor can tell
you what that password is, you should
walk away immediately.
At Urgent Technology we go a step
further than hashing by performing
‘salting’. Salting appends random
text to the end of your password
before hashing the entire string of
characters. Salting prevents the use of
‘rainbow tables’ (a pre-computed list
of commonly used passwords), which
could unscramble passwords and use
them to gain access to multiple user
accounts.
4. Do they follow OWASP and have an
internal secure coding process?
Every good software developer should
ensure the use of secure coding within
their applications. To ensure developers
do not fall foul of the biggest coding
risks, one of the most important tools
is an online resource known as the
Open Web Application Security Project
(OWASP). This provides a continuously
updated list of the largest threats and
risks – all of which are rooted in coding
mistakes – according to the industry.
5. Is all code checked before it goes
into the product?
During development a product will
undergo many changes before it is
given to the quality assurance team.
Often the product will pass quality
checks, but this does not guarantee
that it has been checked rigorously for
security.
At Urgent Technology every product
change made during development is
checked by at least one other senior
developer before inclusion in the main
branch of the platform. Regardless
of the type of change, each one is
reviewed to ensure it corresponds with
company and security standards.
Armed with satisfactory responses to
these five questions, you can expect to
have chosen a secure CAFM provider.
It’s also useful at this stage to confirm
that they are GDPR compliant and have
an ISO 27001 certification or that they
are working to the ISO standards.
With this in mind, CAFM software
provider Urgent Technology will be
debuting its new business intelligence
functionality at this year’s Facilities
Show. The new BI tool delivers
powerful, insightful reports that identify
important patterns from FM data
and assess areas of the business that
require improvements, empowering
facilities managers and giving them
peace of mind in the process.
FACILITIES SHOW DAILY FMJ.CO.UK