You’re Never Really Safe

You’re Never Really Safe

Last week I tried to make a post about IT Security and failed (silly poor internet connection in Switzerland).  The good news is, I did some more thinking about the subject and got a chance to talk it through with a couple colleagues and I have some more thorough conclusions AND the beautiful chart above.  (I’ll insert the usual disclaimer here: I’m not a security guy, these are just my observations from 10 years in IT and an MBA).

My primary point is this, NO website is secure.  IT security is kind of like personal physical security, no matter what you do you’re never 100% safe.  You can buy a gun, become a black belt, hire a security guard and change your routines daily but if someone is smart enough, well equipped enough and determined enough they can still shoot you.  In the same way, if a hacker is good enough, well equipped and doesn’t care about repercussions then he can hack just about anything.

The reason you put up IT security is the same reason you hire physical security.  The better you secure your site, the better (and more reckless) the hacker has to be and therefor the smaller the population of people who can hack you.  The level of effort required to deter hackers is not linear.  It’s pretty easy to ward off the casual hackers, the stupid (but well read) Script Kiddies are a little harder to get rid  of and once you get to the real pros it takes a lot of effort to make intrusions impossible.  Every company must decide where on the spectrum they believe they should fall.

So if you’re an individual considering which companies you should trust remember a few things.  First, don’t trust anybody.  Ensure your credit cards, don’t use the same password all over the place and give your information to as few people as possible.  When you do decide to trust someone, look for the things that keep the casual hackers and script kiddies at bay; things like https and VeriSign.

If you’re a CIO considering security issues you should also remember a few things:

  1. The biggest lesson to learn from Sony is, don’t take pissing off the professional hacking community lightly.
  2. Don’t promise security when you can’t guarantee it (which you almost never can).
  3. Don’t hold sensitive information that you don’t have to; you’re customers can’t be upset (let alone sue you) for losing information that you don’t have.
  4. Make smart business decisions about security.  Make sure you’re keeping the easy hacks from happening but be careful you’re not spending a fortune on the right side of the curve; sometimes you’re in the land of diminishing returns and you’d be better off buying insurance.
  • Anonymous

    I completely agree with this post and have been wanting to write a post about security for a while along these same lines.  What started as a reply to this post actually turned into the post I’d been meaning to write.  It does have a bit more of an end user spin though. http://blog.bojansoldan.com/2011/05/25/security-catch-up-game/