Having the right team on your side is more important than buzzword bingo

Five things no one will tell you about web site security

Security sells, so there’s no shortage of security advice, products, and scares out there. I’ve noticed that most articles on the topic of web site security seem to leave out a few important points as they clamor for clicks. So here are five things no one will tell you about website security:

Having the right team on your side is more important than buzzword bingo

Let’s say you just found out you’re heading to the Amazon jungle tomorrow. Would you rather parachute in surrounded by a team of ten experienced jungle travelers dedicated to keeping you alive, or would you rather Google “jungle survival” and jump out of a plane burdened with ten of the best survival books from Amazon.com?

The same applies to web site security — you’re probably not an expert in the field, but you don’t have to be. You just have to figure out who the experts are and hire them to keep your site alive and well. Even the experts can’t predict what’s going to happen next, so you need 24/7 vigilance and a wide variety of skills.

Encryption is just one small part of security

Your site has the little lock, so you’re done, right? Sorry, you still have to manage and monitor who has access to what, and you have to pay attention to what happens to data.

Encryption simply means that data is secured when it’s being transmitted between the user and the server; it doesn’t protect the data or your web site if you print it out, or paste it into an email, or if ten people are sharing one admin login on a sticky note.

If you don’t do it, you don’t have to secure it

An often overlooked strategy for dealing with security issues is to simply NOT do certain things. For example, if you’re signing people up for a seminar, you don’t need their Social Security Numbers; just a name and email will do just fine.

Or if you really need to do something involving sensitive data, separate it from your web site. If you’re taking payments, don’t handle or store card numbers and such — use a reputable secure payment gateway and let the experts deal with it (see first point above).

Don’t waste too much time worrying about the scare-of-the-week

Heartbleed! Poodle! Shellshock! Boo! There’s a new web security scare with a goofy name every week or two. That’s because fear sells, and technical jargon is a fantastic way to scare people.

Next time you see a security story in a scary clickbait costume, dig a little deeper. See if it’s just theoretical or an real, live threat. And in any case, your ninja team (see point #1 again) has most likely already handled the issue long before it hit the morning news.

Keep a sense of perspective

As with so much else in life, nothing is 100% secure or guaranteed, and anyone who tells you otherwise is probably selling snake oil. You can’t eliminate risk, so it’s all about risk management and evaluating tradeoffs.

Brian Wringer

Email this article to a friend or coworker.