If you’re a small business or charity, the chances are you do not have an in-house software development team. Chances are also high that you don’t have a massive budget to spend on IT provision.
Worrying about the seemingly unlikely event of your IT being hacked may be low on your list of priorities once you’ve paid an IT vendor to build you a website, provide you with a database, deploy your services on their, your, or a third party’s server, and test that the whole thing more or less hangs together.
After all, why would anyone target your innocuous little system? And even if they did, what damage could they really do?
Hackers don’t care how small you are
When your IT security is breached, or you discover a vulnerability that may allow it to be breached, the best thing you can do is make the world aware. This is why victims of hacking attacks volunteer the details of such incidents and vulnerabilities to organisations such as OWASP.
And the thing that quickly becomes apparent when looking at the timeline of hacking incidents is that most attacks are for sport: instances of indiscriminate opportunism that serve no purpose than to up the hacker’s hit rate.
Impactful attacks on high-profile targets are newsworthy, but hackers don’t typically dedicate their time to bringing down one Goliath as part of some ideological or political crusade. At least outside of Hollywood and Netflix.
You exist online. That is sufficient to make you a target.
A ‘Contact Us’ form is all hackers need
I don’t have customers who need to log on. No financial transactions take place on my website. I don’t even store clients’ data. What’s the worst that can possibly happen?
Quite a lot, actually. If you have, for instance, a website with a Contact Us page that takes the name, contact details and query information about a potential client, you might think web security is a non-issue so long as you don’t store that information for your later use.
The question is: Do you know for sure that it isn’t stored somewhere? How is the form converted to e-mail? Intermediary files may be used and not immediately deleted, and so you may be storing personal data without knowing it. Is any data written to system logs? Most software puts information (e.g. something that caused an error) in logs meant to aid software vendors diagnose problems with the system. A forgotten-about line of code or an overly verbose error message might be enough for you to be storing personal data without knowing it.
So even if your system doesn’t mean to store data, a single, innocent-looking Contact Us form might be all a hacker needs to get at it. Patience, a knowledge of the kinds of system your website runs on, and one little mistake is all a hacker needs to get them from such an innocuous little form to the nitty-gritty of the server your website runs on.
‘Not knowing’ doesn’t imply ‘not responsible’
But isn’t this technical stuff what I pay my IT vendor for?
Yes, if you take security seriously from the start. In 2014, a charity was hit by the ICO with a £200,000 fine following a hack of the kind described above in which customers’ personal data had been lost. The charity hadn’t needed personal data stored, but had no formal documentation to demonstrate that not storing it was an IT requirement.
What you don’t know really can hurt you.
And this isn’t about knowing how a website is built, or how a network works, or how emails are sent. This isn’t about knowing what web servers, operating systems, or databases are. Forget that technical stuff. This is about taking a conscientious position on how you treat individuals’ data. Cyber-security is a business problem, not just an IT problem.
Make security part of the conversation before you contract a vendor
There is little point in making security a requirement of your IT if your vendor cannot implement it. Sure, they might be liable in the event of an attack, but that doesn’t make you — and therefore your reputation — any more secure.
If the earlier example proves anything, it’s that not every vendor will make security a priority, or even a possibility. The same assumptions you might make about who a hacker will and will not target are potentially shared by the very people who are supposed to be dealing with this on your behalf. Cyber-security might be as new to them as it is to you.
If your current vendor does not provide the security assurances you need, you should start looking for a different vendor.
Document your IT requirements
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. — Data Protection Act 1998
Consider every person and process involved in a role and ask what they need to do with it. Grant them no more privilege to handle data than is demanded by necessity. Store only the data needed for your business, and minimise the number of users who have broader access.
Are customers sending or receiving personal data over the internet? If so, make sure that data is encrypted in-flight. Make sure no data identifying customers is ever logged anywhere by the code or displayed in error messages on screen. This includes errors thrown by other software you use, such as database errors.
Make sure your data security is tested by you or your IT vendor. ICO offer a free suite of data protection self-assessments to highlight issues you may not realise you have, but there are also dedicated software tools for testing vulnerabilities in your system. They are technical, but every finding translates to a cost to your finances, your reputation, your customers, or your future viability.
OWASP regularly rank vulnerabilities to cyber-attack based on its ever-expanding knowledge base. Generally speaking, you should ask your vendor to consider testing for the top three at the very least. Some might not apply to your system, but satisfy yourself that your vendor understands the necessity of vouchsafing your system across all three areas.
Most importantly, whatever your needs, make sure they are precisely what you’ve asked for. And make sure you can demonstrate that this is what you asked for.
Ask yourself two things: Did you really ask for it? Can you show that you did?