Information security is difficult. There are so many areas to think about, various attack routes to cover, a myriad of potential solutions on offer and very little time (or budget) to work with.
It’s no wonder there is often confusion and it can be difficult for an organisation to know where to start, what’s the best direction to turn, what the next steps should be, or even understand what defensive measures will be truly effective.
In this type of environment, it can be all too easy to pin your hopes on quick, easy solutions. Solutions that will hopefully solve all your security problems in an instant, and there are plenty of solutions out there that are more than willing to offer it to you.
“Our next gen security product is unhackable”
“Our services are 100% secure”
“Automatically prevent breaches and stop attackers in real time”
The buzzwords are numerous, but essentially the security hype is this; by buying this solution/piece of tech/service you are now protected and don’t have to worry about the security of it.
Problem is, it’s not true. You can’t buy security, and nothing is ever 100% secure or ‘unhackable’. Determined hackers with the skills, time, resources and motivation will always find a way in eventually. In fact, making such claims only encourages attackers to have a go, showing that it was complete BS all along.
These types of messages could be considered overhyped marketing or sales at best, and at worst, outright lies and snake oil salesmanship. You shouldn’t just take the hype on face value.
Challenge the hype, gain the security assurances you need
Whilst nothing is ever ‘unhackable’, that isn’t an excuse for organisations not to take security seriously. Introducing any device, software, supplier or service to your network increases risk and it’s important to ensure (as fully as possible) that any addition meets your security requirements before you decide to use it.
Security testing, such as a penetration test, is one way to gain these security assurances and it’s always reasonable to ask a vendor, manufacturer or supplier to provide you with proof of security testing before you proceed with any procurement process. This evidence can be presented in the form of a redacted test report, but most likely through a letter of opinion from a reputable security testing company.
In some cases, especially when it comes to critical products or services, you may also want to have the product tested independently, providing further assurances before you commit.