How and Why Companies are Hacked

Anthem, Sony, Home Depot, Dairy Queen, Kmart…What do all of these companies have in common?

They were hacked and lost millions!

It seems like not a day goes by anymore where you don’t hear about another company that has had its private data compromised by an individual — a hacker, as some people refer to them as.

Every year these “hackers” steal more and more private and sensitive information. And whose fault is that? Honestly, most of the time the fault comes down to bad programming.

Why, even with all of the reports in the news, are we still not doing our customers right by protecting their data instead of neglecting security and focusing only on profits?

I believe this comes down to many people (usually higher up management), being down right ignorant and not understanding what or who to look for when hiring developers and/or designing an application that will contain sensitive information.

The money is always there to hire a developer to get the startup started, or to develop a new flagship product, but what many people don’t understand is that it is easy to build a great product that makes a ton of money that is completely insecure. This would be like building the most luxurious house and showing off all of your money, but deciding not to pay for locks on your doors!

You are just asking for someone to steal something from you. And they will. They probably already have. A lot of the time when people are hacked they don’t even know about it. It’s not like a red light goes off and says

“All your data is currently being stolen. Please look into this.”

No, usually it’s only after its much too late and you’ve already lost everything, and now you are about to get sued on top of not having a dime to your name anymore.

So what should you take from this? Hire good security developers! Hire good penetrations testers (hackers)! They will save you so much more money than they will cost you.

It would be nice if the same person that developed the application was also an expert in security. I think most managers assume that when they hire an “application developer” that they must also be an expert in security.

I’m sorry but that is just not the case. Take it from me, someone who has worked with many application developers and a few great security developers. Sure, many application developers are familiar with security principles, and situations they know they have to look out for. However, this by no means makes them an expert, and they should not be the ones you are entrusting with your multi-million dollar business. A security expert is also not an application expert. If you hire them to develop your application you may be using a unsorted array as your data structure when you really need a self-balancing binary search tree to do your searching. Customers aren’t going to be happy when searching for something takes hours.

To give you an analogy, say you needed emergency brain surgery because a blood vessel busted in your occipital lobe. The neurosurgeon will likely have to perform an endovascular embolization. This process involves packing the aneurysm with a substance (for example, soft coil or mesh) that fills the stretched and bulging section of the blood vessel. This helps seal off the aneurysm and reduces the risk of the aneurysm leaking blood or rupturing. The doctor uses X-rays to identify the aneurysm and to put the substance in the aneurysm.

The success of this procedural is directly proportional to the skill of the neurosurgeon. My point is that even for a skilled specialist, this is very hard to perform perfectly.  You wouldn’t want your heart surgeon attempting it just because they are also a surgeon.

We all need to have to same mindset when developing system/web applications. Believe it or not, system/web security is just as complex and requires just as skilled of a specialist to perform correctly. Don’t skimp on your security! This is a complex and crucial part of your business and it involves individuals lively hood (all of their money), just like surgery.

Hiring great security professionals is not always the most glamorous thing to do. They won’t improve your web traffic by 1000%. They won’t make your application run smoothly. They won’t make your application do anything really. But they will save you from losing everything, prevent you from going to jail and life from ending, just like the brain surgeon did when you decided to go with him instead of the heart doctor.

Thanks for reading and if you enjoyed this post please share it or like it! I have more post like this at jasonroell.com. Subscribe and never miss a post.

%d bloggers like this: