Same Old Security Song And Dance? Yes And No

The results of InformationWeek's annual Global Security Survey got me to thinking that the more things change, the more they stay the same.By which I mean there's a certain amount of same-old same-old here, which is to be expected. On one level, the story is that the security story doesn't change much. The issue is a continuum, playing out over and over again. Companies may be spending more money, but they still aren't spending enough money. (They never do unless they've been publicly embarrassed). For the most part, they don't set up or fully follow security procedures unless a news story scares the pants off them. They plow ahead with new technologies even though they know they're not secure. (Hey, you gotta do what you gotta do to keep a competitive edge.)

And users keep doing stupid things, too. Mom was right, if their laptops weren't screwed to their desks, they'd lose them. No wait, they aren't nailed down, and they do lose them! Hackers continue to have their way, IT shoulders the blame, and researchers reap much publicity in the race to ferret out application flaws. If I never see another survey that brightly announces that users don't change their passwords enough, or should stop using birthdays and pet names as passwords, it won't be soon enough. (It's stuff like this, BTW, that will probably help propel biometric access methods into the mainstream.)

In fact, the only things that seem to change in this ongoing saga are the targets, the technology, and the attitudes of the public, legal, and regulatory sectors.

For example, it used to be that users of Macintosh or open-source systems didn't have to worry so much. Not anymore. Maybe blowing holes through Windows got to be too easy, but the bad guys have finally gotten 'round to training their sights on Apple and Linux. And hackers too--even and especially white-hat ones--also didn't used to have to worry so much. Not anymore. You get caught today, even with the best of intentions, and you face the highest chance ever of going to jail.

Law enforcement has taken an increasingly harder view of cybercrimes of all ilk, and it's showing up in tougher laws, cross-agency and cross-national teamwork, and more arrests and more jail time.

Congress at least thinks more about addressing high-tech issues, but the very thought of more action on the hill ought to give pause, given the knowledge base we're dealing with there. Take that key senator who brightly announced that the Internet is not a truck. Very good, sir, you may sit down now. On the other hand, if companies can't be scared straight, so to speak, into enacting needed reforms to protect the data they collect, well, maybe it would be better if Congress stepped in.

One obvious change is the evolution in publicizing hacks, data breaches, and vulnerabilities. Yeah, we still don't hear about this stuff in as timely a manner as we should, and the source of that information is often not the affected party (which it should be), but we're seeing more cybercrimes and computer flaws reported and publicized. Which is a good thing. It's good because it will spur at least some readers into action, and because knowing how each event happened and knowing how it was dealt with adds to our knowledge base.

The area of biggest change is, of course, technology itself. Be it the frighteningly fast evolution of viruses, Trojans, worms, and other forms of attack, old and new, or the technologies being used to defend against such attacks, the pace of change has been furiously fast.

At the end of the day, this should mean a major ratcheting up in turns of the seriousness of this issue. It means even if the number of attacks falls, the cost of those attacks is escalating up and up. The fallout from a successful enterprise breach or data loss carries a higher probability of being more devastating. The cost of cleaning up after such an attack, and defending against the increasingly more complex and sophisticated efforts to break in, are going to rise to painful levels.

So even if your company is more secure today than it was a year ago, it won't necessarily help you going forward. IT needs to make sure all the security bases are fully covered, deployed, and in use, and then determine to remain on alert going forward, updating and changing policies and technology as needed. Be honest, does this describe your company?

This is a different kind of war on terror, but like its political counterpart, it's never going to be over. So don't wait for the next big news story to start looking over your security setup. Be proactive now because you never know--yours could be the next company splashed across the headlines.

** For another take on our annual global security survey, read Larry Greenemeier's summary of what he sees as the five biggest surprises from the survey and his cover story package on that survey. You can see the full package of survey results, reader tools, and stories by going to our special topic page on the subject.