The need for website security has increased leaps and bounds over the last few decades. Every other day there are news reports of websites getting hacked, people’s mail accounts being stolen, credit card data being leaked; how do you make sure your website is not vulnerable?
It’s difficult living in our times when it comes to anything to do with security, everything from cars to water purifiers are automated. All this automation comes at a cost, the cost of your personal privacy. Your privacy and that of others stands the risk of being compromised if exploited. In this day and age, when Chrysler Jeeps are getting hacked, ATMs are being hacked using smartphones to steal money; companies that have huge coffers of money are being taken down, how does an average Joe keep his/her website secure? Moreover how do you keep your digital identity safe?
“I always seem to always get hacked, how can I improve my website security?” – Most searched query
Short answer? Find someone who can help you with your security. Not someone who can help fix your website once it’s hacked. Someone who can and would advise you on how to stop the attack in the first place. Not all hacking is something new and revolutionary, most of it is stuff that has been on the Internet for years. And that’s a fact. Time on time again, OWASP Top 10 has the same issues listed over and over again, just in different order(depending on where vulnerabilities are “trending” in the past few years, if we can say that). Someone who you can call up at 3a.m. in the morning(not that it should come down to this), and the voice at the other end of the line says, “Let me help you fix that”. And when they mean help, they should actually mean it. You should be able to trust the person at the other end of the line to pull you through.
How do you know who to work with for your website security?
Before we answer the question, allow us a moment to tell you what we feel are absolutely essential qualities needed:
- The right skill set
- Prompt to fix things when reported/discovered
The right skill set is obviously very important. If someone does not have the skills, then you need to find someone who does.
How would you find someone with the skills you need?
A lot of people out there have impressive profiles, that they wield around like a magic wand. It sometimes gets difficult to find out if a person actually knows what they are talking about. So how does find out people with the right skills? How would you know if they can walk the walk as well as talk the talk? The answer is this, you will need to ask them questions. Questions that evoke the responses other than the usual your business is at a 70% chance of taking a hit or that there is a huge risk to your data etc. What we would suggest here is to ask them to what are the business risks that could possibly affect your business. If they get all analytical and calculative and they cannot really explain it in layman’s terms, well then they might not have the actual practical experience you need. They need to be able to break down the difficult things into easy to understand language. They should be able to make analogies, because everyone who is good at what they do can break it down into smaller byte sized pieces. It does not take a genius to be able to do that. One famous analogy describing radio communication(Albert Einstein amongst others, including the Shah of Persia who are credited for this quote) , “You see, wire telegraph is a kind of a very, very long cat. You pull his tail in New York and his head is meowing in Los Angeles. Do you understand this? And radio operates exactly the same way: you send signals here, they receive them there. The only difference is that there is no cat.” (Albert Einstein)
Prompt to fix things when reported/discovered? Why is this here?
It finds its way here only because way too many people sit on bug reports thinking that it’s not that bad, that it’s not important enough to fix right away. And low and behold, some time later, the inevitable happens – website gets hacked. Snapchat , Target, Sony are all companies who knew about existing vulnerabilities within their infrastructure and did nothing. Nothing! When people take the time out of their daily lives to tell you about a vulnerability present in your infrastructure, you should get around to fixing it right away.
Last question, how do I know “who” to trust?
Trust is a big one here, probably the biggest one when it comes to website security. Having the right skill set and fixing things on time are non-negotiable for you to stay safe. However, all that matters little if you cannot not trust the person you are working with. So how you trust someone? Well there is no sure fire way to know right off the bat whether you can trust someone. It does get a little difficult answering that with a definite answer. We feel it’s easier to relate to it when thinking of it in terms of the comfort level. How comfortable are you dealing with the person? If you are comfortable enough, you would end up trusting the person. Also, you must consider alignment of interests. Do it serve the person’s interest to help you with security or does the person only care about his paycheck? It all boils down to whether you judged correctly, when enough water has passed beneath the bridge. Here we would like to quote the great Sufi sage, Mulla Nasrudin :
You never really know who you can trust, without taking the first step. In time though, you should be able to see if the relationship works out well for you. Unless of course you hit a patch of bad luck and end up working with someone like Max Vision, in which case we would like to wish you the best of luck.