Weighing up the risks: a sensible attitude to security

In the news this week I’ve learned that many national and local government websites, as well as NHS ones are highly vulnerable to being hacked and defaced.

See: UK Government sites hacked with pharma spam and UK Parliament XSS flaw disclosed

When putting up any internet-facing resource or system, you need to consider:

1. how important it is to you &your users
2. what would be the implications if it got hacked
3. how much input you’re prepared to make to keep it secure

This is always a balancing act, with no right answers, just a careful judgement of risk. The questions below might help in your assessment.

Importance

• How long do you expect the site to be live on the internet?
• How many people do you expect to use the site?
• How important to you are the people who will be using the site?

Implications

• What would the media say if your site was defaced?
• How would your shareholders react if your site was defaced?
• How much would you be fined if personal data was made public, lost or damaged?

Input

• Do you need to ensure (on a weekly basis) that all aspects of the software (from Operating System through to Application) running the site are up-to-date?
• Do you need to do an annual penetration test (usually against the OWASP Top 10 vulnerabilities)?
• Do you need to ensure that all users change their passwords regularly, and follow a strict password policy?
• Do you need to put security policies (such as multi-factor authentication) in place?

There are a multitude of opinions out there about how to best secure your site. But I would suggest that the more important it is, and the greater the implications, the more input you need to make to keep it secure – probably in the order shown above.

If you'd like to discuss this article, or how I can help you, get in touch.

Posted: 26 March 2014

Tags: Project management Supplier selection

Related articles