Last year I was asked to build a company website from scratch without any prior experience in web design. I chose to use WordPress since it was free, had a large support community and offered an extensive range of themes and plugins. After a few weeks of experimenting, reading online blogs and watching tutorials, I was able to publish an interactive and (somewhat) professional looking website.
However, beyond domain names and hosting providers, I knew very little about how my website worked. I recognised terms such as ‘HTML’, ‘CSS’, ‘front-end scripts’ and ‘back-end code’ but could not explain their individual purposes. I installed and activated a well-reviewed security plugin and assumed that my site was immune from cyber-attacks.
It was not until I started my ‘Cyber Security Technologist’ apprenticeship the following month that I began to question and properly evaluate the websites cyber security.
To implement better security, I had to expand my knowledge. I needed to know basic website infrastructure, common attack vectors, methods to reduce/eliminate risk, how to implement security measures and recognise possible indicators of a security breach. In short: what a website is, the threats, the solutions, how to reach a solution, and how to realise something is wrong.
I spent another week researching and implementing security, but got a bit too carried away. I used a random password generator to create secure usernames and passwords, limited login attempts to three before a temporary lockout of 20 minutes, set every user apart from myself ‘read only’ privileges and hid the admin-login page.
When my boss spotted a typo on the homepage, he couldn’t find where to login, couldn’t remember any of his credentials, got locked out multiple times and then when he finally got into the dashboard, didn’t have the correct rights to make any changes. He was not very happy.
I learnt first-hand that cyber security is not only about restricting access to sensitive information. Instead, it is a combination of the following concepts and should be treated as balance of all three (Bashay, 2018):
- Confidentiality: restricting access to your sensitive information from non-authorised entities
- Integrity: assuring information is trustworthy and accurate
- Availability: guaranteeing reliable and constant access to your sensitive information from authorized entities.
In my case, I had prioritised confidentiality to such an extent that I sacrificed availability.
When implementing or managing personal or commercial cyber security, it is essential to consider the trade-offs between confidentiality, integrity, and availability.