Last week I tried to make a post about IT Security and failed (silly poor internet connection in Switzerland). The good news is, I did some more thinking about the subject and got a chance to talk it through with a couple colleagues and I have some more thorough conclusions AND the beautiful chart above. (I’ll insert the usual disclaimer here: I’m not a security guy, these are just my observations from 10 years in IT and an MBA).
My primary point is this, NO website is secure. IT security is kind of like personal physical security, no matter what you do you’re never 100% safe. You can buy a gun, become a black belt, hire a security guard and change your routines daily but if someone is smart enough, well equipped enough and determined enough they can still shoot you. In the same way, if a hacker is good enough, well equipped and doesn’t care about repercussions then he can hack just about anything.
The reason you put up IT security is the same reason you hire physical security. The better you secure your site, the better (and more reckless) the hacker has to be and therefor the smaller the population of people who can hack you. The level of effort required to deter hackers is not linear. It’s pretty easy to ward off the casual hackers, the stupid (but well read) Script Kiddies are a little harder to get rid of and once you get to the real pros it takes a lot of effort to make intrusions impossible. Every company must decide where on the spectrum they believe they should fall.
So if you’re an individual considering which companies you should trust remember a few things. First, don’t trust anybody. Ensure your credit cards, don’t use the same password all over the place and give your information to as few people as possible. When you do decide to trust someone, look for the things that keep the casual hackers and script kiddies at bay; things like https and VeriSign.
If you’re a CIO considering security issues you should also remember a few things: