Security Awareness Is the Publics Best Ally

Opinion: The good news is that the public has never been more educated about security threats, says Microsoft's Mike Nash. But hackers remain the ultimate moving target, and the security industry must innovate to stay ahead.

October is National Cyber Security Awareness Month, and Microsoft has been joining industry partners in promoting this program since it began two years ago.

The collective goal of the program is to create more awareness among consumers, small businesses and academia about security threats and how people can protect themselves.

Since the programs inception, the general publics awareness of and knowledge about online safety has improved greatly.

But there is still work to be done and the challenge for the industry and the entire Internet community is to remain vigilant and determined as we continue to zero in on what will always be a moving target: security.

As the recent Zotob worm demonstrated, public awareness of security has never been higher, and media coverage around the industrys response to security threats remains abundant.

More importantly, the industry is investing more and working harder than ever to meet the challenge by providing and encouraging the adoption of effective technology solutions and best practices that help protect against viruses, spam, spyware, phishing, bots, blended and targeted attacks and other malicious attacks that can threaten the security and privacy of home users and businesses alike.

The good news is that even in the face of constantly evolving threats, the security industry is zeroing in on the fast-moving target of computer security.

There are three key indications that the industry is finding its mark. First, the industrys efforts to educate both IT professionals and consumers on the importance of installing and maintaining up-to-date security protection are working.

More and more networks and individual PCs are using firewalls and keeping up with the latest product updates, anti-virus and anti-spyware signatures.

/zimages/3/28571.gifTo bundle or not to bundle: that is the Microsoft security question. Click here to read more.

As just one example, over the past two years weve seen a 1,816% increase in the use of Automatic Updates on Windows, which allow individual computer users to install important security updates automatically to be better protected.

Second, news reports in recent months have indicated that unsecured technology has played a minor role at best in crimes such as high-profile data thefts that, in the past, have implicitly fallen at the feet of IT technologies.

Instead, we continue to see that "insider" activity and human error are leading causes of corporate data and identity thefts. The challenge for the security industry here is around guidance and education as much as technology.

Finally, at the same time, awareness around the importance of security has increased vigilance and is reducing the impact of many social engineering attacks.

Even as hackers and phishers employ extremely sophisticated schemes to breach security or illegally obtain private information, PC users are taking better precautions—like not opening unsolicited mails or unknown attachments and not providing personal information to e-mail requests—to avoid being victimized.

Microsofts security efforts, which are focused around technology investments, industry partnerships and prescriptive guidance and education, reflect the approach that the industry at large is taking to address security.

Looking at the Zotob worm and comparing it to the 2003 Blaster worm, it is evident that this approach is working and has improved the industrys ability to react to Internet security threats more swiftly and effectively.

Organizations are realizing the benefit of running newer software with enhanced security protections, such as Windows XP Service Pack 2, and the increased speed with which they must deploy security updates to protect themselves.

Microsoft and other vendors continue to make improvements to the updating process to make it more predictable and efficient while providing guidance and solutions to customers much more rapidly when attacks do occur.

To help stop future attacks from occurring in the first place, we, law enforcement and other members of the IT community join forces to stop those responsible for the attacks.

/zimages/3/28571.gifClick here to read about Microsofts security alliance.

It took Turkish and Moroccan law-enforcement and the FBI, with Microsofts investigative and technical support, only 11 days to find and arrest the individuals believed to be responsible for the creation and distribution of the Zotob and Mytob worms.

While public interest may focus on high-profile hacks or security breaches, the fact is: the industrys focus on tightening security is working.

The aggressive and clandestine world of hackers, phishers and other criminals requires us to not only innovate but anticipate. Our challenge is to be innovative, nimble and grounded in the fundamentals of engineering excellence, and were taking it head on.

Companies, too, from the top of the organization down must remain resolute in keeping security a priority.

While awareness and the use of anti-virus, anti-spyware and patch management technologies continue to grow, it remains important that organizations remain diligent about all aspects of security in order to stay ahead of emerging threats.

A recent survey by CIO Insight of 300 IT executives found that "three out of ten respondents admit that their companys attitude toward security has become more relaxed as the events of Sept. 11 fade into the past."

Unfortunately, criminals are not becoming more relaxed and executives at all levels of organizations must adopt and maintain a security mindset.

The target that we and others in the security community are trying to hit is never going to slow down.

While criminals think of new scams and transgressions in the physical world, the greater Internet community will continue to be pushed by that predatory subculture of hackers, phishers and criminals who are our common opponent.

Just as all who use the Internet must remain diligent in protecting their systems, so must the security industry be consistent in our determination to provide the innovative security solutions necessary to remain ahead of contemporary threats.

Mike Nash is vice president of the security business and technology unit at Microsoft Corp.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.