It’s an everyday conversation for security professionals that interact with everyday website owners. The one where we have to explain that just because everything seems fine, doesn’t mean that the best security practices shouldn’t be followed, or that being safe so far doesn’t grant future invincibility.
The question, “Why should I worry?” is heard so much, that our own fear for those who ask it has made us realize we are watching online business owners play in traffic on a virtual highway, somehow believing they will never get hit.
The truth is: You should worry.
In the 90’s, if you were among those first using email in the mainstream, you will remember that it was important to be worried about opening emails with strange attachments. Like cavemen wondering whether they should fear the rustling grass, some of us were gobbled up by tigers lurking in our inboxes when we chose to proceed, and clicked without caution. Those getting hacked in the majority today are the predecessors of those consumed and spit out by the underbelly of technology in the previous generation; the leftovers of those who were not cautious and downloaded the poisonous Kool-Aid.
Fast-forward to the present day. A business that has just started making sales is more satisfied with the projected analytic data than dissatisfied with the lack of a security review or policy pertaining to its website. For that, it may soon be punished in a rise to success cut short by a brand destroying malware infection.
More specifically than not being worried, they didn’t understand the environment. Rustling grass was dismissed as just the wind, and not a hungry tiger. Cries to implement security practices and build a secure infrastructure on bricks rather than straw, fell on deaf ears. This is a very common start to a story about the hurdles businesses face in information security issues, and it often carries a theme of simply neglecting to understand.
To operate in a world where you don’t fully know all of the details about an environment is dangerous enough. To charge forward unknowing of the dangers is an unfortunate re-occurrence among users using technology to achieve their goals. The mindsets we’ve taken to protect us in reality are slow to help us adapt in the digital world, and we see our non-tangible creations as controlled only by us, and inherently protected from others, just because we’ve never told anybody the password.
My home has never been burglarized, I still lock my doors.
The mentality of a security professional is not a baseline, since it’s not the norm to want complete security in every aspect of existence. No matter what I’m securing, I see the initial layout of what needs to be protected and I go the extents required to secure an environment. It’s not expected that everyone will take every measure possible, but above all else, and no matter what, I lock my doors when I leave my home, and would hope that this is everybody else’s rule as well. Surprisingly, denizens cyberspace figuratively leave the doors of their business wide open for months at a time on busy digital street-fronts, frequented by malware-wielding thugs and gangsters. Their reasoning usually goes along the lines of, “Well I’ve never been hacked before”.
The flipside is awareness. On a website, on a webserver, owned by a far-away hosting company, in a datacenter across the country, do you even know how to lock the doors? A high-density apartment brings about a far different scenario than a large industrial compound. There are differing levels of security required depending on value and space, along with all of the possible vulnerabilities in the establishment itself.
It’s not hard to find people to agree on a good physical security policy. The psychology in the material world is that there are things to protect from other people taking or damaging, and therefore easier to make good habits in environmental awareness.
Awareness: Address Uncertainty
The psychology surrounding security in the digital world is a stark contrast to that in our physical realm. With malicious web activity up around the globe, corporate attacks, identity thefts and website infections continue to rise. At the same time, new users flock to the online frontier in the Internet’s ongoing modern-day gold-rush.
These users, like historic pioneers to a new land, often arrive with no clue of what to expect. They find themselves learning concepts and technologies that have only recently come into existence, and education can be sparse to newcomers. To make matters worse, veterans are often unforgiving, knowing that answers are easy to find, but forgetting how hard it once was to come to learn that very fact.
Push a user through this scenario to the point where hosting is actually purchased, a site is actually developed, and consistent sales are actually made, and the result will quite possibly be a success story marred with a horrible security incident.
The general psychology of how and why we come online is completely contrary to the attitude held by those that know the dangers that lie beneath the surface.
How do you become more Security-Minded?
You can completely change your state of security by understanding three basic concepts:
1. You are a target
. Simply existing on the Internet puts a bullseye on your chest for hackers to use automated networks of malicious scripts and services to poke and prod at your website until it finds a way past the front door. Remember that just having a website online is opening up a connection on a system you own or rent to the wilds of the web, and all the types of traffic that come with it.
2. Awareness is everything
. Understanding the infrastructure of your website, the type of server you run on, and all of the supplemental add-ons and services you use is the entry-level standard to being able to provide security for yourself when working on the Internet.
3. Security is an essential department
. Fail to build an administration, and you won’t have leadership to get your business started. Ignore marketing, and no one will show up when you open the doors. Shy away from customers seeking quality service, and lack of loyalty will destroy you. These ‘departments’ are never ignored, but security often is. Make security an essential role in your environment, or your peril will be intruders betraying you from the inside when you least expect it.
Most people grasp that it’s important to prevent nefarious persons from taking or doing harm to their stuff. However, modern society has interwoven a complex system of technology into a new way of life that has given the masses an excuse-driven frame of mind to hide behind in that we simply don’t have the comprehension or even the drive to try to understand the unknown.
Safety is an Epiphany Away
Watch the grass grow and grow impatient. Forget to maintain it and learn quickly that lack of maintenance brings more work than the maintenance itself. It can take a long time to learn this lesson in website security though, as pest infestations from wild tall grass are much easier to detect than malware infections contained within hundreds of files of thousands of lines of code.
Understand a final concept: Security as an eternal struggle, a process that is kept up each and every day.
It cycles through protecting yourself and your space, detecting problems and vulnerabilities, and responding to those issues. Best practices and maintenance principles prop this system up work soundly, but it requires an operator. Be an aware target that maintains the division keeping your site’s functionality safe: the Security Department. Change your psychology to stop getting hacked.