The state of security: Fearmongering and surrender

With a combination of hyped threats and inadequate solutions, the security industry needs to take a long look at itself

For years now we've learned about a new high-profile data breach every few weeks, the latest being a hack of the South Carolina Department of Revenue that exposed 387,000 credit and debit card numbers. With even greater frequency, security researchers identify new malware threats, such as last week's fresh zero-day PDF exploit.

Cyber crime makes people very afraid. Just as crime stories on local TV news drive people to buy alarm systems, tales of evil new malware and disastrous data spills compel businesses to pile up security defenses. Emerging risks in the form of mobile device malware, public cloud services, and BYOD anarchy have cranked up the fear factor even higher.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]

On a superficial level, that's good for the computer security industry because it can sell a wide array of solutions to lock down systems. Security vendors can add elaborate mobile device management and cloud security solutions to the usual mix of firewalls, antimalware, access control, security event management, encryption, IDS/IPS, and more.

Like drugs that lose effectiveness over time, a number of time-honored security countermeasures have declined in value. For example, no matter how frequent the updates, no antimalware software can check for every known threat, let alone the zero-day risks. You still need antimalware, of course, along with the rest of the above defenses (though InfoWorld's Roger Grimes has gone as far as suggesting that you don't need a firewall anymore). However, you must be realistic about what such defenses can and can't do.

In truth, for most businesses, common sense measures such as up-to-date patching and training users not to click on phishing emails yield "good enough" security. There's no such thing as zero risk, but you can get to low risk without tying yourself in knots.

If you have the kind of business with lots of data really worth stealing and sophisticated hackers know it, you can erect every security barricade short of pulling the plug on the Internet and the bad guys will probably find a way in. Primarily, I'm talking about organized crime and foreign governments deploying advanced persistent threats to steal intellectual property.

On the one hand, the security industry helps gin up the fear factor, which may result in overprovisioning. For example, it's easy to damage productivity with ham-fisted access control that denies users access to information they need. If you restrict mobile too much, users may simply smuggle in devices.

On the other hand, if you're a high-value target, you've probably been compromised no matter how hardened you think you are, unless you have a budget as big as the Defense Department's.

If you read Roger Grimes' blog regularly, you probably know that most organizations can radically improve security just through user education and consistent patching -- not to mention multifactor authentication, proper network segmentation, and so on. But more needs to happen.

It's time for the security industry to scale back the scare tactics and quick fixes and to help businesses put best practices in place. That may not sell as much product, but the vendors that truly provide such assistance will enjoy huge customer loyalty.

This article, "The state of security: Fearmongering and surrender," originally appeared Read more of Eric Knorr's Modernizing IT blog. And for the latest business technology news, follow InfoWorld on Twitter.

Copyright © 2012 IDG Communications, Inc.