The plain truth can sometimes be so absurd that it’s not worth saying and at the same time it might be so wrong its also not worth repeating.
Take, for example, people who tell you their web services are secure because they’ve never been breached. I could also say that I’m such a safe driver that I’ve never been in an accident, but that doesn’t mean I don’t wear my seatbelt.
Did you know that there are some companies that purposely choose not to run formal security programs and procedures because knowing they had been breached is worse than not knowing at all? Think about it, some people believe in plausible deniability. For better or for worse, nobody can get away with looking the other way anymore when it comes to information security. Information security (or insecurity) has now successfully breached the geek channels and is often reported in mainstream media.
In Troy Hunt’s recent post he says, “Not knowing you’ve had a security incident is not the same as not having had a security incident” . He titles his post “Your website has never been hacked! (except for all the times it has)”. In the post he calls attention to the failures of specious reasoning. Bottom line – just because your website hasn’t been defaced doesn’t mean it hasn’t been breached or that your web services are even remotely secure.
Here is a hint – today’s black markets are based on a non zero sum economy. The attacker doesn’t need to deface your website or even rob you of your customer data in order to be successful. All he or she needs is a few minutes to look at your customer data or to plant some readily available monitoring software. Bottom line – security is often forgotten and left to be addressed once the company is making money.
Look no further than to Josh Owens and his glorious list of 8 things often forgotten for a product launch for a classic misstep. Aside from backups, there isn’t a single security related topic on his list.
Sadly, the total lack of security basics is often the norm. Take for example the book “The Lean Startup” by Eric Reis that has been all the rage among investors and entrepreneurs. While readers learn a lot about cohort graphs, minimal viable products and how to pivot – never once was the concept that security of the product taken into consideration. Granted Reis wrote more about business process and product management, but the age-old problem of putting technology ahead of security continues to fester in our start-up societies.
Without relying on fear, uncertainty and doubt I can still reliably say that breaches happens to everyone. Just because my website hasn’t been defaced doesn’t mean I can tell people my services are secure. Bottom line – the time to invest in security is early and often.