Let's Talk

Cyber security is getting boring!

25-Oct-2017 16:16:54


It seems that there isn’t a day that goes by without a lurid headline talking about how yet another large company or organisation has lost millions of people’s personal data into the shadowy world of hackers and cyber criminals.

We’re rapidly approaching a point where this constant stream of bad news risks causing some companies and individuals to switch off and stop paying attention to their security. When hacks have become so common, many are no doubt asking, "Why bother?"


Why EVERYONE should bother

As people that work in, manage and run organisations that collect financial information, personal data, or even simply have a website that could be hijacked to harm unsuspecting users, we have a moral obligation to ensure that people interacting with us are kept safe.

We take it for granted that the offices and shops we work in won’t cause people harm when they visit, that the products and services we sell won’t have any adverse effects when customers buy them, and that everyone within the organisation has a part to play in making this happen. 

The same should be true for everything digital, too.

From making sure that people think before sending emails with personal data, to double-checking when asked to make unusual payments, to not assuming that someone else is taking care of the website's safety and security, good cyber security comes from everyone in the team being involved.

There are many suppliers that are building websites and other online ‘stuff’ that either don’t know how to do so securely or don’t care.
[Tweet this]

This is especially important right now with the spectre of GDPR looming. Even if it turns out to be a damp squib in the end, we’ll all be under increased scrutiny not just from regulators but from better informed individuals too.

One of the biggest areas of risk for all companies and organisations is through their technology suppliers, not least as there’s a natural assumption that all technology companies are focused on doing things securely.


Unstable software

The most common website vulnerability today continues to be one of the first security flaws ever identified on the web (it’s actually older than most people using it now), and an annual report into software components used to build things continually finds that 5% of them have known security issues even before they are downloaded.

In layman’s terms; there are many suppliers that are building websites and other online ‘stuff’ that either don’t know how to do so securely or don’t care - and this is actually getting worse, not better.

So, what can you do about this, especially if you are not a techie?

Quite a lot actually, and the starting point is very simple. After reading this, go and ask your suppliers three quick questions about their approach to security right now:

  • Is my website/database/system/’stuff’ safe from being hacked?
  • How do you know – does it use a third-party system that is regularly tested or do you have it regularly independently tested?
  • Can you confirm all this in writing please?

A supplier that understands good security practice will be able to answer these questions quickly and concisely to give you the peace of mind that you need.

If this isn’t the case, you have the choice of working with them to improve the situation - good security isn’t rocket science, and how to be secure is very well and publicly documented - or looking for a new supplier that can.

Gwilym Lewis

Written by Gwilym Lewis

Gwilym is a co-founder of Appsecco, an experienced cyber security company that provides easy to understand cyber security solutions that are based in commercial reality. Appsecco know that running a business is complicated enough without security experts telling you that you need the equivalent of a bomb shelter to be secure — when all you really need are slightly better door locks and a reminder to close your windows at night. Prior to co-founding Appsecco, Gwilym built and ran a specialist web application development company that was sold to a UK PLC in 2012. Gwilym is constantly told he should stop using the term Cyber Security (and completely understands why) but has yet to come up with a better one for non-technical people!