2-4 December 2024 | ExCel London

5 Questions to Ask your CAFM Provider about Security

Organisations use computer-aided facility management (CAFM) software to drive maintenance management efficiencies, meet regulatory requirements and store facilities management and asset-related data in an easy-to-access, secure place.

While CAFM platforms don’t tend to hold individuals’ data, such as bank account details, they often hold commercially sensitive data, which could impact a business, if it were to be hacked.Your data requires protecting, so it’s important to know that your CAFM provider is secure enough to manage this.

To keep your company and your data safe, here are five questions to ask your CAFM provider when assessing their security provision.

1. Do they conduct regular penetration tests against their platform?

As a minimum your CAFM provider should conduct penetration tests against their platform on an annual basis. One strategy is to hire friendly hackers – also known as ‘white hat hackers’ – to attack the platform andattempt to access, steal or corrupt data they shouldn’t be able to reach. If the hackers are successful, they provide a detailed report on how exactly access was gained and how the application may be breached inthe future, outlining any faults of weaknesses.


2. Are they encrypting sensitive data?

It’s important to ensure sensitive data is protected and understanding the difference between encryption and hashing is a good start. Encryption is a two-way process which means it can be reversed. It’s useful for storing sensitive items, such as access to customers’ external systems, but shouldn’t be used to store passwords which should always be ‘hashed’.

Hashing is a security mechanism whereby a set of one-way mathematical calculations transform a plain text password into seemingly random characters. This prevents anyone from seeing the original text, which makes it ideal for storing passwords. By hashing passwords, even if somebody were to infiltrate the system, your login details would remain hidden.

3. Are they hashing and salting?

Hashed passwords are essential when it comes to sensitive data. The bottom line is, regardless of the system, if you create a password and a vendor can tell you what that password is, you should walk away immediately.

At Urgent Technology we go a step further than hashing and perform ‘salting’. ‘Salting’ appends random text to the end of your password before hashing the entire string of characters. Salting prevents the use of ‘rainbow tables’ (a pre-computed list of commonly used passwords) which could unscramble passwords and use them to gain access to multiple user accounts.

4. Do they follow OWASP and have an internal secure coding process?

Every good software developer should ensure the use of secure coding within their applications. One of the most important tools for developers to ensure they don’t fall foul of the biggest coding risks is the online resource known as the Open Web Application Security Project (OWASP). This provides a continuously updated list of the largest threats and risks – all of which are rooted in coding mistakes – according to the industry.

5. Is all code checked before it goes into the product?

During development a product will undergo many changes before being given to the quality assurance team. Often the product will pass quality checks, but this does not guarantee that it has been checked rigorously for security.

At Urgent Technology every product change made during development is checked by at least one other senior developer before inclusion in the main branch of the platform. Regardless of the type of change, each one is reviewed to ensure it corresponds to company and security standards.Armed with satisfactory responses to these five questions, you can expect to have chosen a secure CAFM provider. It’s also useful at this stage to confirm they are GDPR compliant and have an ISO 27001 certification or that they are working to the ISO standards.

Source: David Cornish, development manager, Urgent Technology.