( An example of how security failures get introduced, how they go unnoticed, and what the probable damage is when they finally are noticed. This is based on real events, but has been anonymized to protect the organization.)
Many years ago, a non-profit institution had had the task of setting up a website to establish its Internet presence. The institution had started by simply getting volunteer assistance from people who seemed interested in technology, and later hired on a professional webmaster named Mike with their very limited IT budget.
Unfortunately, Mike did not really understand standard security measures. That meant that Mike had left serious security problems in the institution's web site because he had never thought to develop a security plan and follow it from the get-go. The web site was duly targeted by a criminal organization, and people coming to the site to learn about the non-profit institution instead got advertising for adult entertainment. In addition, the criminals retrieved personal identity and credit card information that was improperly stored and vulnerable to common IT security attacks.
The cost of containing the crisis included:
$100,000 for insuring people who had information that was potentially accessed by the criminal organization against identity theft.
$100,000 for a software security firm hired to investigate the security breach and suggest remedies.
$80,000 for consultants to replace Mike (who left as a result of the breach)
Unknown losses of potential donations and loss of reputation.
Mike had cost the organization $50,000 a year. For $20,000 more per year, the organization could have hired a development organization that would have prevented the crisis and saved themselves $200,000 over the 5 year period that Mike was employed.
How Erie Eyrie can help if you have a security problem or concerns:
If you are starting a new project, we start from industry-standard techniques to prevent security breaches like the one this organization experienced. Consider a Starter Package to get going on your project.
If you have an existing system, we can locate potential or actual security risks and provide ways for remedying the problem. Our Security Audit service can give you insight into the challenges you face, and create a plan for your technical staff to reduce your risks. If you don't have a technical staff, Erie Eyrie Software can provide a Development Package to handle the work for you.
If you have an existing development team or vendor, we can review changes they make to ensure that there are adding no security risks. Our Code Reviews will give detailed feedback to your developer staff to ensure that they can embrace secure design practices.