‘Data security breach’, ‘cyber attack’, ‘data security’, we see these and other related words in our newspapers on a regular basis and we’ve all seen the implications a data security breach carries for both a software provider and its users. It’s no surprise then that a growing number of people ask us about Agworld’s data security policies and practices when evaluating systems for their farm or agronomy business.
As Chief Technology Officer of Agworld I deal with data security on a daily basis and know exactly what to look for, and which questions to ask, when considering a system that will contain any kind of farm or agronomy data. In order to help those that are currently evaluating systems, I have listed the 4 most important questions to ask any provider. These are all simple questions and the answers you receive should be straight forward; if they’re not, that will tell you enough.
1: Hosting and infrastructure
Is a redundant data hosting structure in place and is your data hosting scalable?
The hosting and infrastructure situation of any data platform is critical. All data should be redundant hosted in multiple data centers and hosting needs to be scalable based on user load.
Redundant hosting in geographically separated data centers ensures service continuity in the case of one data centre having complete failure, for example in the case of a localised incident.
Hosting scalability is important to guarantee service during season demand peaks (when most agronomists perform their pre-season planning at the same time for example) and for when a significant number of new clients get onboarded; it’s not uncommon for this to cause regular outages with some providers.
2: Data recovery and security
Is a best-practice system in place around data recovery and security, and do you have a dedicated team responsible for service reliability and security?
Some of the best practices you should be looking for: Access to production servers should be limited to only those who require access. (Concept of least privilege) Development and production servers should be hosted in independent networks, so servers in one area cannot communicate to the others. All data communication between the data centre’s isolated networks and the internet should be encrypted. Regular data backups should be created to protect against data loss from failures.
Data recovery and security should never be an afterthought or someone’s Friday-afternoon job. It’s a critically important component of any technology service provider and as such deserves a dedicated team that is responsible.
Is a robust authentication and authorisation solution in place for users? Is Two Factor Authentication and Single Sign On in place for administrators?
Authentication and authorisation should be provided by an industry leading security specialist integrated into a platform or software; ‘home-made solutions’ simply don’t cut it anymore in today’s environment. The ability to authenticate and authorise users and prevent unauthorised access is critical to maintain data privacy.
How a provider’s administrators are able to access the ‘back-end’ of systems is probably more important than you think; you only have to think about the recent attack on Twitter, that saw a number of high-profile accounts getting hacked, to realise how critical this is. Administrator’s access should always be protected by Two Factor Authentication and Single Sign On at a minimum. Remember: if an administrator’s account is compromised, your data is compromised too!
4: Penetration testing
Is a system in place for regular penetration testing to highlight any vulnerabilities?
No matter how good systems and procedures are, vulnerabilities can always exist where they are least expected. In order to highlight any security vulnerabilities rapidly and get them fixed as soon as possible, any agtech provider should perform at least annual penetration testing by an external provider.
Looking for signs
I hope these 4 standard questions above will help you make the best possible agtech adoption decision for your business. And don’t forget, there’s often some very simple signs to look for that will tell you all you need: Any agtech provider should have a standard document they can send you at a moment’s notice with these and many other data security questions answered. If a company does not want to answer these questions, this should be a big red flag for you. A very small company that only employs a few people will often not have a dedicated data security team and is not focused on this topic - with a lot of inherent risks. For new start-ups it’s easy to focus just on ‘developing features’ and data security can become an afterthought; data will inherently be compromised at some point. This lack of focus on data security is not the case for every start-up, but it is something to check and make sure if you consider using their services.
If you have any questions about data security and the topics I have touched on in this article, or if you would like to find out how Agworld handles data security, please don’t hesitate to reach out to me on firstname.lastname@example.org.