Pretext
I'm not a security expert, just a web dev with an interest in "security". I've been tasked by my employer with giving an internal talk on security (specifically web application security) and why it is important for SMBs.
Reflecting on my motivation, I've realised this particular subject interests me because:
- I find the technical aspect fascinating
- It's the right thing to do
- I don't wanna get pwned (professional dignity)
Which is all fine and dandy, but not something the board will be terribly impressed with. Consequently, the talk should focus on the business impact of security for SMBs.
I've been thinking about incorporating some often-heard arguments:
- "Security is only for the financial/medical/insurance sectors"
- "We are too small to get noticed by hackers"
- "There's nothing to get from us – our data is not interesting"
- "We don't store credit card data or anything sensible"
- "Even if an account gets hacked, there really isn't anything you can do with it"
- "I don't think anybody's interested in what User X has been doing on our platform"
- "There is no business value in security"
- "We need to focus on implementing new features for our users instead"
- "We are lean, and code that doesn't make money is waste"
- "If we make this too complicated, the users will go to our competitors instead"
- "Adobe has been hacked and people still love them"
- "The probability of this ever happening is so low, we can't justify spending any resources on it."
Some of these may be silly, but others raising the question of the business value of security, are perfectly valid. Unfortuately, these are the the hard ones for me to answer, because frankly I do not know the answer. I feel like I can google this until the cows come home and still don't get anything other than sales pitches and platitudes like "Your website is your virtual business card and you want to make a good impression."
Some notes I have made so far:
- Small businesses are in fact targeted quite a lot, because they are "low hanging fruits"
- An attacker might not even know your business, e.g. if malware is installed with a dependency manager
- All data is interesting if you have a purpose
- Attackers don't care about your platform and very likely they don't care what the user has been doing on that platform. They are interested in the user data stored (PII, plaintext or poorly hashed credentials, e-mai addresses etc.)
- Attack vectors might include several targets and your platform might be just one small piece in a larger plan
- Compliance with lawmakers and potential business partners
- The business value of security can be quantified after a breach has happened (e.g. number of customers lost)
- "Lean" comes from the automotive industry and they have a lot of regulations to follow
- Security as a differentiator (stand out & build trust with customers)
TL;DR – Actual Questions
I'm not expecting anyone to address all these questions. Just looking for some input, and perhaps some pointers in the right direction. The talk won't happen before Q3 2019, so there's still some time to do research.
- The big question in need of an answer is "Why should SMBs care about (application) security?"
- Is security, at the end of the day, simply risk management?