So you finally have your website up and running. Now you lie awake at night wondering how to keep it safe. Adam Shiffman, team leader in the Internet Security Group at Toronto-based FSC Internet, has spent the past five years providing information security services to a diverse range of clients including banks, insurance companies and law offices.
Q: In the simplest terms, why should CEOs worry about website security?
A: There are two main reasons. First of all, without proper security you run the risk of hackers defacing your site. When customers see the page has been changed (often to something distasteful) they lose confidence in the company and the business suffers. Honestly, would you give your credit card number to a site you knew had been hacked recently? Secondly, there is a liability issue. Hackers can use an insecure server as a place to launch attacks on other sites, and the company that administers the site can be held liable. This type of scenario can end up being very costly and time consuming to resolve.
Q: Can my in-house IT department ensure my website is secure?
A: Generally speaking, in-house IT departments are too busy. Security often takes a back seat as the IT department spends its time ensuring reliable day-to-day operations, maintaining the network and fixing user problems. Additionally, unless your IT department is large enough to support a designated IT security department, it’s unlikely that the staff will have enough exposure to security issues to develop the needed expertise. That said, security training for IT staff could go a long way towards fixing the more obvious security problems on a corporate network.
Q: How does wireless internet access affect internet security?
A: Wireless network access (also known as Wi-Fi or 802.11) lets computer users roam around the office with a laptop or PDA while remaining connected to the company network. In theory this is great — it allows more freedom and can do a lot to increase productivity. The problem is that most companies that deploy this technology do not secure it correctly and leave themselves vulnerable to intrusion. Most wireless network gear comes out of the box configured in an insecure way, allowing attackers to watch your networks’ traffic (such as private e-mails!) and, depending on the setup, connect to your corporate network. Even when configured correctly, there are flaws in the security of wireless network gear that manufacturers are only now beginning to address. The bottom line is: don’t deploy wireless network access for your company’s network without a thorough look at the security issues.
Q: What’s the cost for a security specialist to try to hack my site to see if it’s secure?
A: The cost of engaging a consultant to provide a web-security assessment depends on several factors — for example, is the web site simply a brochure / information site, or is it a complex web application? Generally these types of activities are billed based on time, and for a simple website or small company LAN it won’t break the bank. In terms of ballpark figures, senior consultants generally bill somewhere around $1200 a day, and a small-to-medium type assessment — maybe a site with a small e-commerce application and the network infrastructure surrounding it — might take 3 or 4 days, including documentation.
Q: How do I find the right security consultant?
A: Ask lots of questions. How long have they been doing security assessments? There are many 19-year-old kids out there who put together a website and call themselves “security professionals.” What platforms do they support? Can they provide references? I’d obviously recommend the company I work for, FSC Internet — we’ve been in business more than 10 years and have the largest security team in Canada. Other options include the bigger management consultancies such as Deloitte and Touche or KPMG — both have information security departments. As well, companies like IBM Global Services, AT&T Canada and HP/Compaq offer similar services.