At TazWorks,
your security is of the utmost importance to us. That’s why we follow industry
best practices and security standards, have PCI DSS and EI3PA certifications,
are in the process of receiving our SOC 2 certification, and constantly monitor
and review the ever-changing security landscape for ways to continually
improve. Today, we wanted to share a few of the ways we keep your data—and that
of your clients and applicants—safe.
Keeping software current
Most hacks and
breaches are the result of using outdated software with known vulnerabilities.
For example, the hackers in the recent Equifax data breach exploited a known
vulnerability in one of the software libraries used by Equifax. The fix for the
vulnerability had been available for over two months when the breach occurred,
but Equifax had not yet updated their systems. Ouch!
Deploying frequently with code reviews
We make sure
that our code stays current and secure on all fronts. We release software
multiple times per week. Every code change is reviewed by at least one other
software engineer (peer code reviewed) and passed through QA before it is ever
deployed.
Automatically checking for vulnerabilities
In addition to
the multiple manual reviews our code goes through, it’s also audited using
automated, static code analysis that checks the code for over 130 of the most
common security vulnerabilities every time code is updated (And, by the way,
the top 10 vulnerabilities account for 85% of all exploits, so if you’re
keeping up to date even just on those few, you’re immediately immune to 85% of
potential problems). In addition to the security vulnerabilities, the code
analysis also checks for hundreds of other common programming errors and best
practices exceptions. This removes the human error element and helps ensure
that we are not inadvertently introducing problems.
Eliminating outdated software and dependencies
Our code
deployment pipeline also automatically checks for and alerts us to available
updates for our software dependencies. We want to ensure that we will never be
in the situation where we have missed critical updates that have been available
for months.
Beyond those
dependencies, we regularly evaluate all components of our software and IT
infrastructure to ensure that they are still actively maintained, appropriate
for our purposes, widely used and adopted, and that the best and brightest
software engineers are available and interested to work on projects using those
technologies. When one of our components does not meet the standard, we replace
it with one that does. For example, several years ago we migrated from using
PHP as our primary coding language to using Java. PHP wasn’t
able to support enterprise-level projects and attract the best developers (see
the chart below for the relative interest levels according to Google Trends of Java compared to a few ancient
and dying programming languages). Similarly, we have several frontend
technologies that are in their golden years, so we are actively transitioning
our frontend to React.
Protecting your data in every stage
We follow the
best industry encryption standards for protecting your data. Data at rest
(stored in a database) is encrypted using AES256. For data in transit
(travelling over the Internet), we use Transport Layer Security (or TLS, which is also
commonly referred to as SSL, though technically incorrect). As previously
announced, we’re already in the process of removing support for older TLS
protocols so that we’ll only support the most current, secure version (see our announcement here for how this impacts you). We also stand on the shoulders of
giants, by using Amazon Web Services to host and store all our data (read their 75-page overview of security processes here).
Password hashing
We use the
latest and greatest methods of password hashing, which is similar to
encryption—but without the key to unlock the information. The amount of time
and effort involved in order to be able to crack passwords becomes so difficult
at this point that it becomes economically unfeasible for hackers to continue
trying. Since 79% of cyberattacks are opportunistic, most hackers will simply
move on as soon as they encounter resistance. Even in Ashley Madison’s data
breach, only .0668% (or in other words, not even one whole password out of
every 1,000) was cracked—and the password hashing standards we use are even
stronger than theirs.
Using multi-factor authentication and preventing personal
vulnerabilities
However, the
most common data breaches don’t come from attacking the code itself. They come
from attacking people—in 2016, over 60% of corporate data breaches were caused
by social engineering—which is why we have even more safeguards in place. All our
employees receive regular security trainings, and our employees and all users
are required to use multi-factor authentication in order to log in to TazWorks’
systems.
Multi-factor
authentication means that just using a password to log into an account isn’t
sufficient; users are required to also provide a code that is texted to them,
use an authenticator app, or enter a code provided via email. According to Symantec,
80% of data breaches can be prevented simply by using MFA. We also require strong passwords along
with regular password changes, as 63% of data breaches involve weak, default, or stolen passwords.
The bottom line
In 2015,
cybercrime cost over $400 billion, and by 2019, it’s estimated that it will
cost companies over 2 trillion dollars. Don’t be one of those casualties. By
choosing TazWorks, you’re not just using our software. You’re also taking
advantage of our rigorous security practices to make sure you, your business,
your clients, and your applicants stay safe.