I’m a security nut. I mean, I write a security-focused technology blog for goodness sake, I’m hardly revealing national secrets here. But hold on, I’m writing this on a WordPress blog. You only need to check out the CVE register to see an unnervingly large list of WordPress vulnerabilities. If I was really serious about security, surely I would have a bespoke website created, right? Well, probably, yeah, but this is secure enough for now. But how secure is secure-enough?
What Am I Scared Of?
Me? I’m scared of everything on the Internet! They’re all out to get me! Okay, while I’m not quite as the stage of covering the windows in tin-foil, I do have a well founded distrust of all information systems. Information systems all have their weaknesses, and it depends on how motivated a bad-actor is to find those weaknesses as to how long those weaknesses hold up under pressure.
I grew up the son of a mechanic, and I’m car daft, so I like to use lots of car analogies to make this stuff all make sense. You probably carry around a spare tyre, or at least one of those crazy tyre-hole-fixy-doo-dah’s (yes, that is the technical term for them), but you don’t carry two. You really don’t want to get a puncture, and it’s pretty unlikely, but it might happen. But carrying two spare tyres would be too much weight and expense to keep up, so we make do with the amount of capacity for failure we have. Information systems are exactly the same. They have a good amount of fail-safe technology built in, but if something massively happens, it’s going to buckle.
However, if you’re in a combat situation and a flat tyre might cost lives, you spend the money to protect against that. You buy a tank! Tanks cost a few million quid, so you only use one when it is absolutely critical that nothing stops your progress from here to there. Edge cases can be carefully considered and designed around. No expense is spared.
Our website is more of a VW Golf than a Sherman Tank.
How Are Your Systems Used?
As I mentioned, my website is secure enough for my use. I do not take payments for anything, I don’t store customer data anywhere near the web server. There were ten WordPress core vulnerabilities reported in 2019, and while succumbing to one of those would be embarrassing, that’s all it would be.
But what do your information systems do? Do you keep lots of information about your clients on web-accessible systems? And what would be the impact if the worst were to happen? If the answer is “not a lot”, then you should be able to sleep at night.
Low Hanging Fruit
When we talk about low-hanging fruit, we’re talking about the things which are the easiest to get at. In this case, I’m talking about low-hanging fruit for both attackers, and administrators. (maybe check out our buzzword bingo post here to help you understand some more terminology.)
Attackers use automated techniques to scan the whole Internet, just looking for someone who hasn’t patched their system. If they find a target who didn’t patch against the known exploit in a software component that they use, it’s easy to exploit that vulnerability. Hacking into a fully patched system is infinitely more difficult. So just keeping your systems updated is a crucial step to security. It means we fly under the radar. Our systems never appear in lists of systems vulnerable to known attacks. Our systems are more trouble than they’re worth, unless we are being specifically targeted.
So if you want to do something to improve your cyber-security posture, just do the easy things first. Patch your servers. Switch on logging and automated Intrusion Detection Software (IDS). Usually this is baked right into the web hosting platforms we all use.
My Secure Data
I’ve been a bit gung-ho about security up to now in this post. I’m telling you just do the easy stuff and you’re probably fine. That is true, but I also said you should think about your systems, and how important they are.
I said my website doesn’t contain sensitive information, and that’s true, but my business does have sensitive information elsewhere. It is kept completely separate from the web facing servers, encrypted (using my own keys) and backed up in 2 places.
I could host my company’s email myself, on a server I manage. There would be lots of benefits to that too, and it would certainly be cheaper. But I host my mail with Google because they spend literally millions of pounds securing everyone’s email accounts for them. I pay a few pounds per mailbox per month, and I know I have the might of Google keeping spam and the majority of phishing emails out of my business. To me, it is a price well worth paying.
This is exactly the same argument for cloud-hosting in general. Sure, you can buy a whole server and all the maintenance nightmares they come with – or you can just buy the services you need as a subscription. My beauty sleep means more to me than a couple of pounds a month.