For years now we've learned about a new high-profile data breach every few weeks, the latest being a hack of the South Carolina Department of Revenue that exposed 387,000 credit and debit card numbers. With even greater frequency, security researchers identify new malware threats, such as last week's fresh zero-day PDF exploit.
Cyber crime makes people very afraid. Just as crime stories on local TV news drive people to buy alarm systems, tales of evil new malware and disastrous data spills compel businesses to pile up security defenses. Emerging risks in the form of mobile device malware, public cloud services, and BYOD anarchy have cranked up the fear factor even higher.
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]
On a superficial level, that's good for the computer security industry because it can sell a wide array of solutions to lock down systems. Security vendors can add elaborate mobile device management and cloud security solutions to the usual mix of firewalls, antimalware, access control, security event management, encryption, IDS/IPS, and more.
Like drugs that lose effectiveness over time, a number of time-honored security countermeasures have declined in value. For example, no matter how frequent the updates, no antimalware software can check for every known threat, let alone the zero-day risks. You still need antimalware, of course, along with the rest of the above defenses (though InfoWorld's Roger Grimes has gone as far as suggesting that you don't need a firewall anymore). However, you must be realistic about what such defenses can and can't do.