Back in June of last year, I wrote a blog post about security where I outlined the “Incident Response Life Cycle” and explained the importance in planning for a data breach. Since no piece of technology is flawless or hack-proof, the takeaway was that we all need to be ready for when (not if) our website is compromised or an account password falls into the wrong hands. According to a “data breach investigations report” published by Verizon, “the results validate that any business that operates online is at potential risk of suffering a data breach.” Quotes like this are unsettling to say the least and I’ve seen, more often than not, organizations of all sizes respond by dedicating huge amounts of resources to expensive security teams and anything else that might put their minds at ease. This approach is not without merit, but, while I can empathize with the human desire for safety, I believe that, before we batten down the hatches and load the cannons, let’s step back and ask ourselves: What are we protecting and at what cost?
Before we batten down the hatches and load the cannons, let’s step back and ask ourselves: What are we protecting and at what cost?
The internet can often feel like a foreign and even dangerous place, especially to the majority of people who have never built a website or learned programming. For this reason, IT teams and the “tech savvy” people at organizations often have a lot of sway around web project decisions because, well, don’t they know best? While it is certainly important to bring in many different perspectives to a web project, the danger lies in allowing this power to go unchecked and privileging tech concerns over the concerns of other stakeholders. Security is never the only factor to consider, even though it may feel like the most important factor to some parties, and it’s important to weigh it like any other concern when making a decision. The simple message here:
Don’t let your IT team hold you hostage.
For those who are less familiar with internet security, one way to help approach the security conversation is to compare it to a home or business security system. In this scenario, let’s think of the internet as a huge city with neighborhoods full of houses and your website is just one of those many houses. You hopefully lock your doors at night and might pay a monthly cost for a security system, but you probably don’t have a full-time guard or a razor-wire fence around your house. I can only speak for myself, but, if I surrounded my house in razor wire, I doubt my friends would visit me anymore! Thus, I utilize security measures that make me feel safe, while not interfering with my way of life.
These more advanced security systems exist, but are generally used to protect banks and other buildings that store very valuable items. The same line of thinking and questioning applies to the security of your website. If you’re building a website that stores the launch codes for the US's nuclear weapons, security is hopefully your highest priority. However, if your website is primarily for marketing and you host your e-Commerce website elsewhere, you can weigh factors like usability and cost more heavily than security.
Mo mostly serves as a strategist at SmallBox, but here she subs as security.
One place where I’ve seen this security conversation seriously impact, and even completely alter, a project trajectory is when selecting the right Content Management System (CMS). As a website’s CMS is the portal through which site administrators will be constantly updating content, changing site settings, and controlling what site visitors see, it always amazes me when the question, “which CMS is more secure?,” completely overshadows other factors like user-friendliness, cost, and scalability.
As an example, although the verdict is by no means up on which CMS truly is the most secure, security is often cited as a reason to choose Drupal CMS over Wordpress. While this might be true on a very surface level (Wordpress does use a less secure encryption method for storing user passwords), as I mentioned previously, it should only be considered as one factor in choosing a CMS because heightened security does come at a cost, namely: usability. For someone who has never used Drupal, the learning curve for simply managing page content is staggering in comparison to Wordpress. So, next time security concerns are voiced in regard to a decision around your website or app, try to keep it in perspective and remember that heightened security comes at a cost that isn’t always worth the investment.
Share your own experiences with choosing between different technologies and how security concerns impacted that choice in the comments!