Enterprise security today is in a sad, sad state. Cyber criminals are pulling off millions of dollars in heists on a daily basis. Tens of millions of corporate PCs are infected. Corporate networks are being pwned left and right. Although there is more than enough blame to spread for the situation -- end-users certainly play their part -- senior management deserves the lion's share of the responsibility.
For more than two decades, I've been auditing enterprise networks, and since the beginning, I've heard dedicated IT staffs rail on and on about how management doesn't support improved security. Every enterprise environment I've seen lives in a perpetual state of insecurity, with porous boundaries peppered with long-term vulnerabilities.
[ Download Roger Grimes's new "Data Loss Prevention Deep Dive" PDF expert guide today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
Much of it has to do with an outdated approach to calculating security benefit trade-offs. In business, you don't spend money unless the expenditure saves you or gains you more in return. For example, you don't spend a million dollars on antivirus software unless the potential damage you are avoiding would be more than a million dollars. Every computer security decision involves this calculation.
The problem is that for decades, number crunching determined that good computer security wasn't worth the cost. When hackers broke into an enterprise network, no matter how successful the attack was and how much bad publicity was garnered, the company's stock price was either unaffected or even rose. This was not lost on senior management. Thus, for all the years that IT was complaining about poor security and all the risks, management mostly thought it was IT security people being overly worried and crying wolf.
For two decades most malware, and even hackers, didn't do anything especially harmful. They were more of a nuisance than a business threat. But now the landscape has changed. Most malware and malicious hackers are criminally motivated. Foreign hackers have likely stolen a substantial amount of the world's private intellectual property. Most people's identity and financial information has been stolen. Almost any network can be broken into at will. Most networks are already actively broken into and the intruder has full access and control of it.
In the past few months, we've seen several companies lose hundreds of millions to potentially billions of dollars: Sony, RSA, and so on. Hackers (such as WikiLeaks) have released top secret information into the public domain, and malicious hackers are directly attacking their pursuers. The campaigns against companies are so devastating that I'm now calling them reputational-level attacks: One assault can ruin your company's good name, turning it from something respectable into a punch line. It has happened, and it will continue to happen. We are in a new computer security world now.
Senior management needs to understand that the old cost-benefit models no longer apply. The security paradigm has shifted. What IT has been worrying about all these years has come to pass.
What to do? Senior management should ask its IT security department to come up with a list of everything that needs to be improved or fixed. Rank the risks from top to bottom and get to work on fixing them now, starting with the biggest risks first. Put less stock in exotic, superadvanced solutions and concentrate on improving the basics: better end-user education, better patching, better software design, default encryption, along with least privilege everything.
We know what we need to do. We just need to start doing it better, and do it better now. The cost of not doing anything different is too high.
This story, "The cost of bad security is higher than you think," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.