Security not included ?? real lessons you should know about before you hire your next IT service provider

Security not included ?? real lessons you should know about before you hire your next IT service provider

By Terry Cutler

A recent vulnerability audit and stimulated hacking scenario on a website belonging to a small non-profit uncovered 25 possible vulnerabilities, and according to the director and his board of directors such a problem should have never occurred.

“When we created the site two years ago we assumed that our web developer would consider security of the site as a normal consideration,” said the director, who asked to remain anonymous for security reasons. “Actually, we are a small association with a small budget and a small website. Who would think that anyone would want our information?”

It is a prevailing attitude, one that has implications on the bottom line.

As the head of an association or business, you expect your outsourced IT group or web developer to be handling security, but are they really? The answer to that is a resounding no. Website creators or managed service providers are not in the business of testing or coding  your website to security best practices.

It is assumed that they are.

Not long ago, I ran a 45-minute rapid audit for the website of a Door and Frames supply manufacturer and discovered a vulnerability that allowed an attacker to modify the website which would deliver an infected PDF file to every site visitor. Breaking it down, any visitor who didn’t have an updated Adobe reader could be compromised. After contacting the web master I learned he didn’t feel the need to fix it or insert any protection.

“If I’m paying my outsourced IT group several hundreds of dollars a month, I assume they’re taking care of my security as well since it falls under IT. No one will hack my site because there’s nothing valuable on it,” said the owner of Doors and Frames.

The common theme in the industry is that providers have adopted a “sweep the incident under the rug” attitude as a best practise without advising the client. The hope is that it will go away. That assessment may be too harsh. Most developers are still making the transition from basic web development to a more secure built-in security development.

In the interim, directors and owners are caught staring like a “deer in headlights”.

Small businesses are the perfect victims for the unscrupulous and this is directly linked to a small, and sometimes non-existent security budget. The unscrupulous are not after your information but want to use your systems as the middle man to break into others and more likely a mega-companies’ systems with more to lose.

In other words, they are using your network to frame you.

The big problem for the unwilling and unknowing middle man is that when a security forensic team shows up and uncovers what happened, law enforcement will be paying you a visit since it was your system, or someone you employ, that have been led to believe committed the crime.

Many small businesses are simply not aware of how vulnerable their sites are to hackers. While developers in the past were not trained to build in security, their roles are changing. More certified training is being offered, which lays the basic foundation required by all developers to produce applications with greater stability, posing lesser security risks to the end-user.