Two reports came out this week that reflect the poor (and weakening) state of security in technology.
The first report is the 2014 edition of Mary Meeker’s annual KPCB “Internet Trends” report, which I always recommend reading. On slide 18, she states that, “+95% of networks… compromised in some way,” and “vulnerable systems on the Internet are compromised within 15 minutes.”
The same automation software that enables vacuums to move around the house, Google Maps / Waze to find alternate routes, and Chef to maintain consistent server state, let alone Google to scan and index the Internet, enables criminals to find and probe your deployment within less than an hour of it being deployed, even before anyone knows about it.
The second report, the 2014 edition of the annual “U.S. State of Cybercrime Survey”, which is put together every year as a joint venture of CSO Magazine and the United States Secret Service, indicates an increase in incidents overall, incidents per organization, cost per incident, and, perhaps worst of all, ignorance about those costs. Companies simply do not know and often, until it is a crisis, do not care.
The last issue – the cultural one – is the biggest of all. I have raised it before, particularly in the context of the Target breach late last year and the TJX Cos breach several years ago. On the one hand, it is understandable. The business is focused intensely on growing its revenues and profits… as it should. The issue is even more acute for resource-constrained small companies, and especially fast-growing startups. They only can focus on so many things, and they are told by their investors to focus on growth; they’ll raise cash to deal with the rest later.
The first problem is that the mindset appears to apply only to information security, not to physical security. Target may have had too little respect for the threat from bits and bytes it could not see, but it spent plenty on guards, anti-shoplifting, security cameras and alarm systems. Similarly, a startup that just banked $1MM from an investor may focus more on product than security, but it is unlikely to leave its front door unlocked, even if it has “only” $50,000 in laptops, screens, printers and Aeron chairs in the office.
In other words, the issue is not a mindset of business growth vs. risk-averse security, which I could potentially understand; it is one of visible threats vs. invisible threats… even though the latter pose a much greater risk.
The second problem is that, as every software architect knows, the architecture you lay down on day 1 is the one you will live with for many years. Or, in the more pithy version, “there is no such thing as a temporary solution.” The percentage of “temporary” solutions I have seen still in use five years later is directly proportional to the number of services still in business five years later. If your service is still around, the temporary solution almost certainly will be as well.
All of this means that whatever security architecture you lay down at the start is highly likely to be around as long as your service is. And it is much cheaper to set it up correctly the first time – just like a software architecture – than to fix it later. In any case, as Meeker points out, if later is anything beyond 15 minutes after deployment, or at most discovery, chances are it has already been taken advantage of.
When you put up a house, or move into a new office, the first thing you do is put a lock on the door, before the first laptop or desk moves in. When you deploy a new Internet service, the first thing you should do is lock the front door, so the “casual” criminal cannot get in. Sure, you are probably not up to stopping the top-tier cyber-crooks… but your brand new service is also unlikely to be worth his/her time or effort until you can afford to harden and monitor it correctly. The infrastructure and design you lay down on the first day will, however, make it far easier to survive to that day, as will the culture of caring about it.