Thursday, 6 August 2015

Planning for when you get hacked

If you're a business of any decent size, then you have servers for your computer networks. If you are following good practices, you have backup and restoration plans for them - maybe even disaster recovery plans, in the unlikely event that the entire server room catches fire one day. However, something that seems increasingly clear to me is that you should be planning for the day you get hacked.

If your servers are internet-accessible (and, for some businesses, their entire business model hinges on this) then you will be hacked one day. Passwords, credit cards, personal details - all of this data is vulnerable and enticing to hackers. What's more, no matter what your security practices are, your operating systems and firewalls won't prevent 100% of attacks. So you will definitely get hacked - it's not a matter of "if" but "when", and it will do serious damage to your company's image and reputation, not to mention the bottom line.

How can you plan for being hacked? Well, you need to take a hard look at everything that is on your servers and imagine that a criminal had full access to it. What could they get? What would it mean to them? Would you know they'd been in there? Starting from those observations, start locking it down. Remove everything non-essential. Encrypt the hell out of absolutely everything else. Make sure that, when (not "if", remember) someone gets into your server, all they find is a minimalist database containing values only meaningful to your company, all locked up with encryption so tight that it would take until the heat death of the universe to crack open.

Mokalus of Borg

PS - Well, maybe not that strong.
PPS - Maybe aim for "strong enough that cracking it is not worth it".

No comments: