Timesheets hold sensitive corporate and customer data including customer details, time spent, details of work done, and in many cases the internal cost and recharge rates involved. Aside from the legal and ethical issues, poor timesheet data security risks severe loss of goodwill and potentially loss of revenue. Although it is important for all corporate data to be kept secure, timesheet data, the security of timesheet systems and ISO and SOC2 certification is often overlooked.
One of the weakest aspects of timesheet security is mobile apps. Research estimates that nearly 80% of mobile apps have been hacked, indicating it is time to consider the security risks of mobile devices and take steps to ensure secure timesheet entry.
Although SSL, SSO and data encryption security is common with cloud software, ISO / SOC2 compliance and security certification through Penetration testing (PEN Testing) is often overlooked and misunderstood.
For maximum security, three levels of ISO / SOC2 certification is require:
1) The compliance of the Software supplier
2) The methods in which the software is developed and maintained
3) The compliance of the hosting provider
ISO certification is an international standard and is slightly more stringent, more difficult to achieve and most importantly is international. SOC2 is US based only. In the US, either SOC2 or ISO 9001 & 27001 are acceptable, whereas outside the US ISO 9001 & 27001 is best.
Many software providers claim ISO / SOC2 compliance through the certification of the hosting provider – meeting item 3 above but ignoring items 1 and 2. Achieving ISO / SOC2 compliance is a time consuming and costly process, which many smaller companies understandably want to avoid. In this circumstance it is up to the customer to decide whether the software from such providers is worth the potential security risks. (Timewatch are ISO 9001 and 27001 certified)
New software security vulnerabilities are being exposed every day, and it is crucial that cloud software is continually tested for vulnerabilities, and this is what Penetration Testing and certification (Pen Testing) provides. PEN testing, like ISO/SOC2 certification is an expensive process which again many smaller software houses avoid at their and their customers risk. In such circumstances it is up to each customer to decide ehtehr the software from providers that do not offer PEN testing is work the security risks, or whether to perform PEN tests themselves and request suppliers resolve security risks exposed in a timely fashion. (Timewatch perform regular PEN testing and provide certificates on request).
Mobile apps are a security risk. Independent security exports Arxan reported that 86% of all mobile apps have been hacked and exposed serious security risks, particularly in situations where employees use their personal mobile phone for businesses use. Mobile apps store data on the local device to support offline use and speed up online performance. However, this puts corporate data outside of the reach of the corporate security network, and if the phone is lost or stolen, sensitive corporate data is at risk.
In the desktop environment, the concept of downloading an application to use locally is recognized as a security risk and is best avoided. In contrast cloud software is recognized as more secure as no application or data is downloaded, everything runs off of secure servers in the cloud. So why do mobile apps use a methodology that is seen as somewhat archaic and a security risk in the desktop world? Ease of use and price are most commonly cited as the highest considerations when researching timesheet solutions, and certainly it is cheaper and easier to create a mobile app. The most secure approach for a secure timesheet is to use the exact same architecture as is used for desktop – a secure web application with SSL, SSO, data encryption etc. This is the approach recommended by independent security experts, and the approach Timewatch utilize for mobile applications.