A discussion with an old friend recently strayed into the area of information security and the hype that she currently sees surrounding products that will make us more compliant, secure and hacker proof. She works as an IT manager is a relatively large company and confessed to feeling confused by the various products, their claims and indeed the hype over the threats these products promise to address.
This is a subject that I have spoke about a number of times and it is something that I feel as an industry we need to be careful about. Yes we need to make people aware of the problems but lets not become chicken licken proclaiming the sky is falling.
The plain truth is that all products are hyped up, be that a car, a plasma TV or an information security product. Especially in IT where we are constantly being told certain products will do things for us cheaper, faster, smaller, and quicker, making us all more productive with minimal effort. So there is an amount of hype that will come from selling products or services, including those in the information security field.
The other source of hype is from within the media itself. Very often the security stories that make the news relate to major computer virus outbreaks or attacks on well known institutions. These stories only make the news because they are simply that, news! In my mind a similar example from the real world would be the coverage given last year to bird flu. As yet this has not mutated to a form that is dangerous to humans, yet there was talk of major pandemics and how economies could collapse if this bug does mutate. Yet the common flu has killed more people this year worldwide than the bird flu.
As someone who is heavily involved in information security I am often frustrated by the lack of concern people display with regards to computer security. If anything there is not enough awareness of the threats people face once they go online. Research from the SANs Institute shows that an unpatched and unprotected PC will be compromised within 30 minutes.
People will not give their credit card details or sensitive company information to a complete stranger they meet on the street simply because that person asked them for it. Yet people still give away this information as a result of an email from someone they don’t know. Companies leave themselves wide open to prosecution or civil court cases due to their employees downloading and/or distributing illegal, abusive and/or immoral content simply because they “trust” their staff. The problem is, with all things in life the person most likely to hurt you most is the person you trust most.
People understand the security risks we face in the real world. That’s why we deploy burglar alarms on our homes or business premises, shred important documents, have a safe to store valuables and keep our money in banks. Based on our understanding of the risks we face we take appropriate steps to protect ourselves. For example, if I owned a company that is a small professional firm with no valuable stock to protect, I would deploy burglar alarms and ensure I had good locks on the doors. If my company keeps valuable or desirable stock on the premises then I would take additional steps to protect myself, such as install CCTV, employ a security guard and store the valuables in a safe.
The problem with information security is that people often don’t understand it properly. Indeed, many IT people do not understand information security properly.
Securing your business is all about risk management. You identify the threat to your business, be that burglars, theft from staff, fraud or fire. You then decide what you need to put in place to manage that risk.
Once you deploy computers and/or connect to the Internet, there are very real threats to your business. Computer viruses, hackers and in-house threats exist and need to be managed. Anyone who has a PC has at one stage or another has either been a victim of cyber-crime or attempted cyber-crime. This ranges from companies being the victim of internal fraud, being inundated with spam or subject to hacking or infection from a computer virus.
Hackers are real and are a threat with growing evidence that organised crime is becoming more involved in computer crime. The image of someone hacking into your network to steal money is far from reality (unless you are a prime target like a bank etc.) Hackers attack computers to use them for various means ranging from the pure thrill of “owning” someone else’s computer, using other people’s computers in a botnet (a network of computers they can command and control remotely) to disseminate spam, or using others’ computers to attack their real target thus hiding their identity. Computers make it easier and quicker to do things including spreading viruses and hacking into systems. While a burglar can only attack one company at a time, a computer virus or hacker can hit many companies at the same time.
So yes there are real threats and people need to be made more aware of these threats and how they can counter them. The problem is most people, including those working in IT, do not understand properly the threats and problems relating to IT security.
Yet everyone is looking for solutions without actually understanding the problem. Vendors and resellers will be only too happy to sell products, however if the underlying problem is not properly addressed then these solutions are not going to work as expected resulting in the customer having a greater lack of confidence in information security.
In my opinion information security has also become the new “e-commerce” of this decade. It is the current wave and everyone is trying to catch it. Having worked in the information security industry for many years where only a small number of companies provided expertise and services, I suddenly find every company now offer information security solutions. While it is good that more people are becoming aware that information security needs should be addressed, customers need to ensure that their vendor fully understands information security and are providing solutions based on impartial advice and not simply to sell a product.
It is time for us to stop listening to the hype, looking properly at the risks that need to be addressed and calling that sales person or consultant “chicken licken” when they start to over hype a problem or solution.