If security isn't built in, it's not there

It's a common myth that big companies and famous celebrities have the best security because they have huge resources. But fame and brand recognition seem to be no substitutes for taking the time and effort to be proactive about security, online or otherwise. To illustrate, eight-time Olympic gold medalist swimmer Michael Phelps may be top dog in the water, but in cyberspace, he’s just another target to amateurish hackers.

Phelps’ site got defaced a short time ago by a Turkish hacker (SC Magazine).  SC reporter Dan Kaplan writes:

A screenshot of the hack -- which did not appear to carry any payload, malicious or otherwise -- was posted Thursday on Digg. The defacement contained a link that led to a Turkish language website featuring some text, a picture of the Turkish flag and a portrait of the country's first president, Mustafa Kemal Ataturk. The text appears to be a patriotic quote from Ataturk.

My take? The hackers were probably script kiddies looking to make a political statement. A few points I want to make:

1. Famous people are bigger targets for juvenile hackers looking to use up their 15 minutes of fame engaging in stupid mischief that they think makes them look smart. What these script kiddies are doing is showing off their ability to copy and paste code written by real hackers. They're not smart, but they can be very annoying, or even dangerous for an organization's reputation and brand.

2. If security hasn’t been explicitly built into your operation, whether that's a website, network or a hotel lobby, it’s not there. For businesses in particular, ignoring security is akin to operating without insurance.

3. Focusing on SEO optimization for websites while neglecting security just makes these websites into a more effective tool for hackers to find and infect every visitor. The best hackers don't operate like the ones that defaced Phelps' site; they hide their tracks, so that popular and trusted sites end up causing problems for thousands of users, for months or even years before the malicious code is discovered.