Web defacement - could you be next?
The National Party website defacement – could you be next?
By Graeme Sinclair and Rupert Dodds, KPMG
Recently a hacker defaced the National Party website with Neo-Nazi slogans. Aside from acute embarrassment and a hasty shutdown of the site for a security review, it appears that the attack hasn’t caused long term damage to the National Party.
Not everyone gets off so lightly. Security breaches such as website defacements, or theft of data – especially personal data – can be disastrous for the reputation of a business. Customer confidence plummets and the subsequent investigation of the security breach can cause serious disruption within the organisation. The increasing reliance on electronic communication such as the internet and email further exposes the organisation to risk, and a breach of these systems can penetrate deep into the internal workings of the business.
So what can businesses do to protect themselves from the potentially disastrous consequences of a serious security breach?
First, businesses need to understand that security is a very dynamic activity operating in a rapidly changing environment. Software vendors are continually offering patches to keep up with system vulnerabilities exposed by hackers. Network security is like a dam holding water. If any cracks appear in the dam wall they are repaired to ensure that the water won’t seep through and bring the whole lot tumbling down. It’s the same with an organisation’s security systems. Perimeter security keeps unauthorised persons out of the internal network, but often cracks appear and patches have to be applied to protect the system. Therefore, it is crucial that businesses keep up-to-date with the latest patches and fixes offered by software vendors. A bit of time and a few dollars spent here could save you millions.
However, security is not only about firewalls, hackers, and patches. It is also about people and processes. Too often businesses put all of their resources into the technical side of things and forget the rest. The most sophisticated security system in the world won’t protect a business against sloppy password protection. Make sure that passwords are not guessed easily and change default passwords on operating systems regularly. Ensure that staff are aware of their security responsibilities. For instance, it is crucial that they don’t share or write down passwords.
Security management is a multi-faceted discipline and businesses need to make sure that they invest their time and money wisely. They can do this by carefully assessing where the greatest security risks are in their business and allocating resources accordingly. Getting back to the dam metaphor – the biggest cracks usually get fixed first. It’s the same with security management.
An attack on a website like the National Party’s does not happen without the hacker sniffing around the website beforehand to pick up information. How do you monitor and test your systems and staff response to suspicious activity? Some organisations deliberately employ legitimate “white hat” hackers to seek out bugs in their network security and plug them before the real “black hat” hackers arrive on the scene.
The burglar looks for the house with lights off, no dogs and no alarm system. It’s the same with system security. Being smart about security and having appropriate protections in place will reduce the chance that you will be the next red-faced executive explaining yourself to the media and disgruntled customers.