The hacking of the Lebanese government websites two weeks ago, for the second time in two months, as well as the discovery of the Flame virus, which went undetected by every online security firm, is once again highlighting the importance of cybersecurity. I recently caught up with a few security experts to find out how to secure your business, and your clients’ information, as well as why you should care.
Selahaddin Karatas, manager of security firm SolidPass says that companies too often overlook security issues when first building products. “In fact due to time-to-market concerns and rapid prototyping before seeking funding, security considerations often become an afterthought. This often leads to dire results once a product becomes more established and has a brand power. Hackers, hacktivists, and script kiddies often go for the low hanging fruit coupled with the bragging rights often associated with prominent brands,” he says.
Runa Sandvik, a security researcher with the Tor Project, an organisation promoting anonymity online, concurs that entrepreneurs don’t realise the risk involved in storing large amount of data. “People want to store as much information as possible, but it is often just not necessary,” warns Sandvik. “Imagine if you’ve stored a lot of personal details and your data gets hacked.”
She tried to get her point across at a workshop for developers at Arabnet in March. “I wanted to help developers be more aware of these things before they sit down and build all of these applications,” she says. But she also wanted to reach the people at the top of the decision chain who decide how much time and money, goes to security, citing concerns from employees who complain that they are not given enough time to implement security features into products.
This is not helped by a lack of legal protection. “There is no computer misuse act here, so I would imagine that hacking is a problem but it is not being highlighted enough,” says Sandvik. Symantec’s 2011 Security Report indicates a 81% increase globally in malicious cyberattacks last year, with a total of 5.5 billion attacks blocked just by Symantec alone.
The lack of regulations means that it’s the entrepreneur’s job to think ahead. Even if you are a small start up, you aren’t safe Karatas says; the old adage ‘security through obscurity’ does not apply anymore. “Thinking about security from day one would lead to less complications down the road and would be vastly cheaper than the potential monetary and brand trust losses that could emanate from lax security measures. There should be no trade-off from business success, time-to-market and instituting end-to-end security from day one. It just requires a holistic approach to matters and is in fact a minimal investment and more of a mental engagement.”
There are a few measures that Karatas recommends as start-off basics:
- Simple measures like SSL (Secure Socket Layer) should be adopted from day one.
- Login forms should be encrypted. All personal data and private information should be anonymized and secured in an encrypted database.
- Admin access rights should be clearly defined and who has access to what and where should be well thought out.
- Procedures should be in place to prevent "insider" attacks as well like the well-documented attack by Khalid Shaikh on YouSendIt, where he was formerly CEO.
- Anything that takes private personal information or import contact address books should definitely have stronger security in place like mobile apps like Path and iCloud.
“Security should be considered from the start,” emphasises Seladdin. “It’s easier to deploy from the beginning than adding it on as a patch later on.”
Both Runa and Seleddin point out that there is a general lack of awareness of the importance of protecting your personal data. “The biggest problem in the region is awareness about how to be anonymous online and why you should care about your privacy,” says Sandvik of Tor.
There is a misconception that because customers are not concerned with security, neither should companies. After security has been breached, customers will care, and owners too. “I love the analogy of fire sprinkler systems,” says Karatas, “They necessitate a small investment upfront but can save whole buildings and neighbourhoods once adopted. Customers often most realize their value once their building has been burnt down.”