Re: "...a skilled hacker will alway get in..."
"In the common business model, where we rely on technology for protection, maybe. Probably, even. But we can do better. We HAVE to do better."
Wrong.
As IT professionals and business people who care about the reputation of your companies you should
But why bother when you can just drop the costs on the customer or pay a bit more insurance?
Until Board level staff start doing jail time for (effectively) reckless endangerment of users data, shareholders start cancelling bonuses for f**kwitted security breaches or companies starting going out of business directly as a result of data loss (kicking in the Board level survival instinct) this will not be a sufficient priority.
Yes you can do better if
a)There is Board level commitment.
b)The user groups is sufficiently small and security conscious.
c)Security is a factor in all hardware and software decisions. Not just purchasing, all configuration decisions.
No one thought twice about adding in LZW libraries and yet that rendering bug existed in them for 20 years, and by extension every app that used that library inherited that bug as well.
So despite your site or your core apps not using that functionality all it would take would be a properly crafted file sent to them to get the ball rolling......
If the targets worthwhile enough to do people will commit time and resources to it. Most may well be amateurish skiddies who can be swatted like flies, but some will be be serious players, possibly as part of a team contributing different elements of the penetration.
Then it's about about damage limitation and repair.