[ISN] Opinion: What's the point of security?

Thu Apr 27 01:40:57 EDT 2006

http://www.silicon.com/research/specialreports/ecrime/0,3800011283,39158393,00.htm

By Simon Moores
26 April 2006

Security trade shows are booming - but does that mean companies are
any safer? Simon Moores reports from Infosecurity 2006.

It's Infosec time again. Walking the aisles of Europe's most
successful information security trade show, I found myself plagued
with a nagging sense of doubt. Why?

Scantily clad girls dressed as angels and the sash-climbing acrobats
in yellow lycra bodysuits on the Symantec stand were entertaining and
colourful enough. Even the message on the EP Secure stand warning
visitors of the dangers from viruses and "wormes" should have brought
a smile to my face.

But all I could see in London's packed Olympia conference centre was
an industry united in a profitable celebration of the failure of our
society to properly protect itself from the dangers of living an
increasingly online existence.

Infosec was once again the venue for the release of the latest
government-sponsored survey of information security breaches in the
UK, conducted by a consortium led by PricewaterhouseCoopers LLP.

While you can find encouragement in the news that large businesses
have become more security-conscious, with the total security incidents
having fallen by 50 per cent over the last two years, the opposite is
true of small business. Here, the average number of incidents has
risen by 50 per cent to approximately eight per year. Worse still is
the estimate of the total cost of security breaches to UK plc, which
is up by 50 per cent from two years ago to approximately £10bn per
annum - figures that support last month's smaller e-Crime Congress
survey.

Microsoft, which is at last joining the dubious Windows Client
Protection business with its own antivirus solution, has been working
hard to improve its own security credentials with a number of
initiatives over the last year. Its Hotmail web email service is
blocking 3.4 billion spam messages each day and has had two billion
downloads of its malicious software removal tool in the last year,
which tells us something about the overall size of the malicious
software problem.

The computing environment that surrounds us today reminds me of a
large termite mound. It's intricate, solid, highly efficient and
constantly improved. It does however have lots of different openings
to the world outside and every now and then, a hungry chimpanzee with
a twig comes along and plays havoc with the poor industrious termites'
defensive structure.

Taking this metaphor a step further - and looking at the sheer number
of companies displaying solutions at Infosec - I have to wonder how
long business will be forced to continue spending sizeable sums on
information security products that continue to have relatively modest
success in mitigating the expanding risks from internet crime.

It was Winston Churchill who said: "Although personally I am quite
content with existing explosives, I feel we must not stand in the path
of improvement."

At an earlier Infosec Show, I released a Microsoft-sponsored report
called A matter of trust which examined some of the many challenges
facing Microsoft's Trustworthy Computing strategy and the steadily
growing threat from online crime.

In the intervening period, Infosec and the security industry have
become larger and more successful, as have the organised crime groups
which are busy milking people's bank accounts, defrauding businesses
and stealing the identities of as many as 100,000 people in the UK
each year.

So I'm confused. Infosec is a great show and a wonderful platform for
an arsenal of information security and identity products. But all the
evidence of this year and previous years suggests that we're on the
wrong side of the arms race to secure the computing environment.

Even for the most paranoid of organisations, an unlimited security
budget doesn't offer a safe and bullet-proof existence. It all makes
me think of a quote from Arthur Dent in The Hitchhiker's Guide to the
Galaxy: "Ah, this is obviously some strange use of the word 'safe'
that I wasn't previously aware of."