IT security. Could there be a better field to be in? I mean, do IT security problems ever stop?
In recent weeks, weve seen a report stating that it takes more time to patch a system than it does for a system to become infected with a worm or virus; seemingly impenetrable encryption systems have been found to be much less secure than originally thought; and Windows XP Service Pack 2, which was designed to improve system security, has been shown to actually cause some security problems.
And, all things considered, the past month wasnt even that bad. In the last year, some of the worst worms and viruses weve ever seen have struck; in fact, 2004 will almost certainly go down in history as a worse year, securitywise, than 2003 (which currently holds the Worst Security Year title). Given all this bad news, the security consulting and product business must be going great guns, right? After all, companies must be spending a ton of money to improve security and protect themselves from these continuing problems.
It turns out that even with these and other security failures, the terrorist attacks on 9/11, and other events that should have made companies sit up and take security seriously, a large number of companies have added exactly $0 to their security spending.
According to a study by the research group The Conference Board that was commissioned by the U.S. Department of Homeland Security, 45 percent of midmarket companies surveyed have not increased security spending since September 2001, and 1 percent of surveyed companies actually cut back on security spending. (You can read the studys press release, which has a headline that seemingly contradicts the contents of the release, at www.conference-board.org/utilities/pressDetail.cfm?press_ID=2447.)
In response to these survey results, I can only say, are you kidding me?
How can any company CEO or manager who has faced the worst terrorist attack in history, a war and virulent destructive worm after virulent destructive worm decide that the right security response—for protecting company investments, assets, customer information, trade secrets and shareholder value—is no response?
I know the country was in a recession and things are still tight all over, but its exactly during these times—when the economy is weak and money is tight—that a security event could have especially disastrous consequences for a company (think multiple lawsuits from customers that had their private data stolen from unsecured databases).
To me, its behavior like this—companies ignoring their security needs—that points to what is wrong with much of the business community today. In a large number of businesses, company management cant be trusted to do whats best for the company. In many cases, management is too busy watching stock options and waiting for golden parachutes to care much about what will happen to the company in a few months, never mind in a few years.
Theres a part of me that thinks this ambivalent behavior toward security should be considered criminal or at least punishable by very stiff fines.
The first step to improving the situation and changing do-nothing attitudes would be for governments to follow Californias lead and require companies to announce if theyve had a security breach. During a recent worm outbreak, thousands of users PCs "caught" the worm when they visited popular sites that had also been infected. If these sites had been forced to release a public warning in the same way that restaurants are forced to announce food poisonings, a lot of damage would have been averted.
I dont expect this to happen any time soon, but there is one thing I can say for sure: If I were a major investor in one of these do-nothing/know-nothing companies, I would let its management know just what I thought about its lack of concern for security problems. And if I were a major customer of one of these companies, there would be one and only one option: to take my business elsewhere. A business that doesnt care about its own security clearly doesnt care about mine.
Labs Director Jim Rapoza can be reached at firstname.lastname@example.org.