It’s an all too common occurrence that you read in the news these days – this or that website got hacked and thousands of bits of private information has been made available to the public from addresses to credit card information. More often than not the website didn’t actually get hacked but rather the website was insecure and the owners of the website had made the data available to the public either through a mistake, ignorance, irresponsibility or negligence.
Mistakes can happen, we are all human and it’s in our nature. Sometimes data can be made insecure through process error. That’s unfortunate and such errors should be investigated as to what the root cause was. If it can be found, analysed and ideally the same or similar reasons for the insecure website won’t happen again. I put things such as wrongly applied web application permissions or even network administrator errors (making the host server insecure) in this category.
Ignorance is probably the next greatest cause of insecure website. That is… ignorance of the businesses for which the website was created for. Whether the website was developed in-house, purchased or outsourced, the business must take the responsibility to ensure the website is secure or at least do anything in their reasonable power to ensure that it is. Developers make mistakes, operations make mistakes. Some developers don’t actually care or even know how to develop websites in a responsible and secure way but… even if they do, it is always a good and responsible thing to do a security review. Security reviews should also be regular to ensure that bug fixes, updates, system patches or even configuration changes haven’t made what was a secure website insecure. I would strongly recommend that any website that hosts important private information be reviewed either by an in-house security analyst or outsource the review to a 3rd party who offers such services – they should be able to examine your system and give you a report on common security flaws and whether they exist or not in your website.
Because we are all human, errors are inevitable no matter what processes or good practices are put in place. The occurrence of such security breaches however should be much much lower than they presently are. The worst thing though is that it’s also more common than it should be for companies to hide or ignore breaches if they are discovered and even in some cases make outright negligent decisions to try hide the issues.
Related articles:
Snap Chat big lol
the Australian Government’s Public Transport Victoria cannot get some basic things right
Dodo won’t exist any more if that happens too often
Australia Post Can’t Get it right, and someone wants to buy them?
JC