Information security is difficult. There are so many areas to think about, various attack routes to cover, a myriad of potential solutions on offer and very little time (or budget) to work with.
It’s no wonder there is often confusion and it can be difficult for an organization to know where to start, what’s the best direction to turn, what the next steps should be, or even understand what defensive measures will be truly effective.
In this type of environment, it can be all too easy to pin your hopes on quick, easy solutions. Solutions that will hopefully solve all your security problems in an instant, and there are plenty of solutions out there that are more than willing to offer it to you.
“Our next gen security product is unhackable”
“Our services are 100% secure”
“Automatically prevent breaches and stop attackers in real time”
The buzzwords are numerous, but essentially the security hype is this; by buying this solution/piece of tech/service you are now protected and don’t have to worry about the security of it.
Problem is, it’s not true. You can’t buy security, and nothing is ever 100% secure or ‘unhackable’. Determined hackers with the skills, time, resources and motivation will always find a way in eventually. In fact, making such claims only encourages attackers to have a go, showing that it was complete BS all along.
These types of messages could be considered overhyped marketing or sales at best, and at worst, outright lies and snake oil salesmanship. You shouldn’t just take the hype on face value.
The security proof is in the testing
Whilst nothing is ever ‘unhackable’, that isn’t an excuse not to take security seriously. Introducing any device, software, supplier or service to your network increases risk and it’s important to ensure that any addition you make is adequately secure before you decide to use it.
The more secure the product/service, the more it deters all but the most determined and skilled attackers.
Security testing, such as a penetration test, is one way to gain assurances and it’s always reasonable to ask a vendor, manufacturer or supplier to provide you with proof of security testing before you proceed with any procurement process. This evidence can be presented in the form of a redacted test report, but most likely through a letter of opinion from a reputable security testing company.
In some cases, especially when it comes to critical products or services, you may also want to have the product tested independently, providing further assurances before you commit.