Hi everyone!
Statistics and reports are alarming!:
Since the turn of the millennium, there’s been an incredible uptick in cyber crime. Whereas the total reported damage was only $17.8 million in 2001, the number rose to $800.49 million in 2014. A large portion of that increase has occurred over the course of the last three or four years. From 2011 to 2014, the increase in cyber crime damages well-exceeded $300 million.
We all know that. And at work we apply the best methods and practices.
But I'm wondering whether: same? less? harder? We take care of safety on a daily basis. If you do not want to admit, you can give an example to a colleague.
For example, I remember that I saw the terminal at the university. man logged in to the bank. Terrible.
What do you think? Do you follow the rules shown in the article?
Honestly there is similar subject this week and another article so I don’t want to repeat myself. As I said nowadays companies want to cut costs, and developers care only about income and not well-done systems. Everyone lowers their’s standards and this is the result. For me it is obvious that if you only care about User Interface and Experience instead of what can ruin your business - security you will pay a lot. I think that people outside IT still does not understand what is SSL, how to protect data, what are authorisations and so on. And as developers I think that I should explain why it is so important to include all of that into theirs system. Unfortunately as I said there is a trend with lowering standards and doing everything just to get over it instead of proceeding good product.
ReplyDeleteI always care the most about security, especially when I take full responsibility about offered solution. If you offer transactions how you can skip security factors in the first place? For me it is insane. I hope that one day there will be eye opener for all the people and they will decide to take more care.
This comment has been removed by the author.
DeleteI agree with you. Many programmers are like "let's do this and that and we will think about the security later".
DeleteThere are various reasons for this. E.g. from my perspective many projects start as "Proof of concept". This is a specific kind of project and let's agree you may skip the security at PoC phase. But then, if PoC becomes a real project, its first version should be thrown away and everything should start once again. In a better manner. I know that it is usually NOT the case. Projects are built on top of bad foundations.
Same problem is usually with the performance of applications and when a project is built according to wrongly understood Agile approach.
Gentlemen, very interesting observations. I agree with the fact that often the fault is in the bases and the approach to work. Cezary has a great approach.
DeleteI don't think this is very good article so I don't think that I will follow rules in it. In response to Cezary and Mateusz opinions I don't think that programmers are responsible in 100% responsible for this state. I think that they are responsible for it in 40%. Also I don't think that Agile approach has something to do with it, not so long ago we didn't have Scrum, Kanban etc and we had the same problem.
ReplyDeleteI think that the main problem is in cutting costs in companies. We need to know that writting software is very expensive, so companies are hiring programmers without proper education and experince, they are hiring senior programmers with one year of experience (so there is no one to do proper code review) and they leave security reason at the end of the project (later they will say that pen-testing it is not so important) I can write couple of pages about what is worng with IT projects today (of course from my experience) but nobody will read this. I did couple of projects for telecomunication company, insurance company, bank and comapny which delivers electricty to our homes and only in one project client was concerned about security. Guess in which one? :D
The company that delivers electricity to our homes? :) I was about to approach when the security rules are not imposed and only depends on us.
DeletePersonally, I'm aware of my lack of enough knowledge with regards to IT security and I always try to play it safe. I would never log in to bank service while being connected to a public network. I think that using two-step authorization and disk encryption if you keep any important data there is a good practice.
ReplyDeleteBut there are so many ways of cyber attacks that cautiousness isn't enough to avoid it.
Adam agree with your last sentence. And I think 100% safety will not be achieved.
DeleteThanks for this article. I think that security is an important task in IT and should be considered form both sides: software developers and end users. Programmers etc should care about rules mentioned in the article and users should educate themselves to use the software in a safe manner. I am not working as a programmer and I'm not creating any software at the moment so I do not obey the rules from the article. I can only write what I do as a user or as a
ReplyDeleteresearcher. As researchers, we also have to deal with security of the data but slightly different. Depending on the topic, to make our research reproducible we should make the date we have used public. It is a problem of anonymization.
Katarzyno, you write about an interesting problem connected with the security and protection of data entrusted to us or our data. I will say honestly that I did not think of it that way.
DeleteI'm grateful for discussing a very important topic. Unfortunately, the weakest elemnet in the security system is the person working on it. Of course hardware and software security is very important. However, many effective attacks and very big institutions have been committed by human error. Regarding the systems, I think that safe systems do not exist, only the profits from the break-in are too low to take care of them seriously. Let me present the following ex ample: Of a person controlling a well-guarded entrance was well guarded, equipped with various gates, and so on, while the emetite guarded the rear doors where the workers went out to smoke. We know the history of famous politicians who sticked on a desk with a password, Once it was said that most of the passwords include the name of wifes, husbands, babys, kittens, dogs or something else, if it is too short it is some 123 at the end - because it is easy to remember ... I do not do that but it is the first option of attack - which often ends in success.
ReplyDeleteWieslaw, reading your statement, reminded me of the book KEVIN MITNICK Art of deception. I broke people, not password. This is the story of one of the most famous hackers. Of course people are the weakest. But do you care about cyber security in your everyday life?
DeleteMy level of security is proportional to the level of profits (or losses) of their breach. In addition, the effort is greater than the profits. I always pay attention to the components of the security system. I'm sorry, but I do not write such things ...
DeleteI agree with Tomasz and Cezary. The biggest problem lies in cutting costs by companies. People in charge, shareholders - they do not care about security and safety, what they care about is profit. It's all about money. Why should we opt for more expensive option, if the cheapest one is sufficient for us at the moment? So let's hire people with no experience to write codes and programmes for banks, governmental institutions, big commercial companies. They will definitely have the right knowledge and know-how to protect all the important data, including personal data... It's really sad, but this is pretty much how it works. But to end my comment with something optimistic, I really do hope that this approach will change in the upcoming years.
ReplyDeleteThis comment has been removed by the author.
DeleteI have already said on this subject under the posts of Adam and Cezary. Well I have great hopes for the culture and the approach will change.
DeleteHi,
ReplyDeletethanks for this article. Cyber security is one of the most important issues nowadays. Each company sets its own rules to be obeyed in a distinctive way, however, we all (I mean: users, employees) need to be aware of the risk of the usage of cyber activity. I agree with Mateusz that there are many developers who care only about the final product not having in mind principal rules of the cyber security.
I have similar observations. That's why I asked that question. Security is key. thank you for your opinion.
ReplyDeleteThis blog is being flooded with posts around cyber security, don't you think? It would be nice to read about something more extraordinary.
ReplyDeleteHowever, as I have stated many times on this blog, security is very important and we shouldn't cut costs on it. Furthermore, we should teach our users, implement new smart attack prevention systems etc. Nowadays, it's easier to rob people from Starbucks with generic laptop than making a heist on bank.
I think that comprehensive guide about security that we should follow would be an OWASP (Open Web Application Security) document: https://github.com/OWASP/DevGuide
ReplyDeleteFrom my experience, security is being taken about something that is obvious and something that developers should be aware of (and have a set of skills to provide that during development). I think that this is bad approach to leave it all to PM and development team side (and keep fingers crossed that everything would be fine). In my opinion, for example pentests should switch from nice-to-have to must-have as a part of project development. Of course, we should do it in reasonably way and measure security vulnerabilities issues by business sense (you don't have to pentest single page company site, don’t you?:)
I can honestly say that I have taken a lot of care about cyber security in my company. As co-owner in middle-size entertainment (over one hundred people employed) I knew that disregarding such aspect could cost us a lot in unexpected moment. IT administrator is one of the most trained - educated (for company’s money), well-paid and respected man in the company.
ReplyDeleteBy the way, this article reminded me the idea of “out-of-any-systems-existence” I’ve heard several months ago. It assumes having no bank accounts, no credit cards, no email addresses, no FB, what’s more: no NIP, no Pesel, no Regon…. Being also a lawyer I didn’t then believe it could be possible. Now I’m starting looking for a way to achieve such status ;-)
Taking care of cyber security is the main focus of my work. My company is a small company and our data may be attractive to other competing companies. One year ago we have been audited by external company according to the IEC 27001:2014 standard. It was a big challenge for my department. However, it was a great help, especially in terms of preparing for GDPR (RODO) requirements. Our security policy was improved and our employees have been trained on cyberattacks that may be encountered.
ReplyDeleteOn the other hand, from my point of view the most overlooked issue in security is hiring the right people. It is the reason for many unforeseen gaps in the entire data security area.
I am not an expert in IT security. It cannot disagree with an article, but to be honest I don't know if it covers the whole topic, I assume that not. At work I adhere to the basic principles, in more complicated cases I trust the security team and ask them.
ReplyDeleteI also try to do my best for the safety of my private resources, but probably every security expert will tell me that I am doing something wrong.
Many of the most successful organized cyber crime syndicates are businesses that lead large affiliate conglomerate groups, much in the vein of legal distributed marketing hierarchies. In fact, today's cyber criminal probably has more in common with an Avon or Mary Kay rep than either wants to admit.
ReplyDelete