Cyber Security Awareness Month seems like an appropriate time to remind security practitioners that web security – and information security in general – is an ongoing pursuit, not a point-in-time exercise. Like all months that we designate for awareness, the intention is really to heighten awareness on a topic that we should be devoting efforts and dollars to year round.
As the CEO of a company that assesses the security of more than 20,000 websites around the clock, I can guarantee that there will always be new threats. Web attacks are a constant, known enemy of every organization. As we're currently in Cyber Security Awareness Month and web attacks are more frequent than ever, web security is in fashion. For those of you who have a program in place or are wondering where to begin, here are some examples of things you can do to improve your organization's web security posture today.
Take inventory of your websites. It may seem obvious, but it bears repeating: You cannot secure what you don't know you have. Time and again we see companies that are tripped up, and ultimately breached, because of a website that is not even on the security team's radar. This is especially true in large, multinational enterprises. For example, the marketing team in Johannesburg may not report to you on the site they created for a holiday sale promotion. Many Christmases later, your team may receive a gift it would like to return. The only way to ensure the security of your most valuable sites is to have an accurate account of all your websites. Additionally, this will help you prioritize assessments and lay a strong foundation for your web security program.
Next, bury the hatchet with the business owners. It's a cop out to say that business and security teams can never get along. Yes, it's true that most business owners do not understand security. So what? The security team probably doesn't understand how to market travel packages, sneakers, mutual funds or whatever product your company sells. That's okay. Here's a secret. If you approach the business side of your organization with an explanation of why your security plan has the potential to increase customer confidence, drive more sales and avoid costly outages, they are likely to view security as more than just a punitive measure. What's in it for you? Having a business unit vice president as your ally can positively impact budget discussions. Instead of arcane descriptions of various cyber attacks, security becomes a business-enabler.
Lastly, throw away the crystal ball, you can't predict the future. This year's advanced persistent threats and mobile attacks that dominated headlines will share ink in 2014 with attacks and acronyms we haven't yet heard of. One thing we know for sure is that web and mobile applications will continue to proliferate. That means more attacks and new attack vectors. The key to addressing these threats is not to try to anticipate what is coming. You can't. The only way to protect your company's assets is to develop a web security program that provides an ongoing window into the risks present in your applications. What may not be exploitable today may be a serious threat in the future. The best defense is to ensure that all existing vulnerabilities are remediated or mitigated across your entire web application portfolio. You cannot bet your company on annual or quarterly snapshots of your web security in today's threat environment.
If your company has already taken steps toward a web security program, congratulations. You are several steps ahead of many of your counterparts. Just make sure that you incorporate these suggestions as part of your plan. If your company is not quite there, start today. Pick one item and take the first step. Make web security awareness an integral part of your company culture, not just a one-month effort.
