An insecure feeling

IT security always reminds me of exercise. We know we have to do it and every once in a while a few of us manage some periodic bouts of sweating, at least for a month or two.

But despite our best intentions, too often we lose our motivation and end up a bit tighter around the waistline, telling ourselves that we’re not in bad shape, that we feel fine. That exercise can wait.

That’s why I get so frustrated when I read reports that warn Canadians about the perils of unhealthy living, or that warn IT professionals about the hazards of poor security practices. Unless you’re one of those people who sue cigarette makers because they failed to tell them that they could be unhealthy, you realize it’s old news. We all know it’s true. Why waste the paper?

That might be a cynical take on the state of affairs in IT security, but I never hear anything to make me think otherwise. At times, the challenges the industry faces seem almost insurmountable.

At the recent Comdex show in Toronto one of our reporters asked attendees about their security initiatives. To a person, they said they’d love to do more, but can’t because their managers aren’t willing to spend money on a problem they can’t see, hear or touch. That’s a tough one to fix. If I knew the best way to convince your upper management to spend more on security – aside from the proven method, which is for something catastrophic to happen first – I’d be rich.

Then there are the commonly accepted practices within our industry. Users are still picking easy-to-figure passwords, or are even sticking with the default settings. And whether it’s because they’re swamped with work, don’t have enough resources or aren’t taking threats seriously, some systems administrators aren’t patching as often as they should.

Then again, their patching workload would probably be greatly reduced if software vendors were more concerned with the quality of their code. “Every day in this country there are companies suffering from damages and losses” that are the result of poorly engineered software, said Richard Clarke, chairman of the U.S. President’s Critical Infrastructure Protection Board, speaking at Def Con, a recent gathering of hackers and security experts in Las Vegas. “The quality control obviously isn’t there.”

His suggestion? That you stop buying buggy software. That’s not very realistic for two reasons – namely, vendors won’t stop issuing buggy software, unless we radically revamp our economic system and, two, from time to time, you actually have to buy software.

Yes, there is some good news. Earlier this summer, San Francisco-based Ferris Research concluded that management need not worry much about viruses infiltrating organizations via the desktop. It found that a 1,400-person organization anticipates a total of about four outbreaks in 2002; each outbreak affecting just individual users. That’s an average of each user getting one outbreak every 350 years or so.

Even when struck, users lose only about an hour of their time chatting with technical people that help with the fix. Ferris says that costs around $25 per user incident or up to $80 if you factor in help desk time.

But the serious outbreaks are becoming very serious indeed – whoppers such as Klez and Code Red may be only the tip of the iceberg, not to mention the viruses that are now infiltrating popular instant messaging software, which may represent a big step backward from the gains made on the desktop front.

But in the back office, it’s situation normal – IT staff pressuring managers, software vendors pressuring companies, increasingly dangerous malicious hackers and cyber-criminals pressuring everyone. Unless we all sit down and get this one figured out, Corporate Canada, and the reputation of IT, will continue to pay a needless price.