Firms losing security war, expert says

Companies are losing the battle to secure their IT systems from attacks by hackers and other threats, warned Bruce Schneier, the founder and chief technology officer of Counterpane Internet Security Inc.

“I don’t think, on the whole, we are winning the security war; I think we are losing it,” Schneier said in a speech, which was webcast Wednesday at the Hack In The Box Security Conference (HITB) in Kuala Lumpur, Malaysia.

As systems get more complex, they get less secure, according to Schneier. Even as security technology improves, the complexity of modern IT systems has increased at a faster rate.

“The Internet is the most complex machine ever built,” Schneier said. “This explains why security is getting worse.”

In addition, the nature of the threat that companies face has changed in important ways.

Where hacking was once considered a profession for hobbyists, a growing number of hackers are now criminals with a profit motive. “The nature of the attacks are changing because the adversaries are changing,” Schneier warned. “They have different motivations, different skill sets and different risk aversions.”

Hobbyists now represent the minority of hackers, according to Schneier. This change means hackers pose an even greater threat to companies. “The hobbyist is more interested in street cred, the criminal wants results,” he said.

To turn the battle in its favor, the security industry must look beyond purely technical measures, according to Schneier. “Look for the economic levers,” he said. “If you get the economic levers right, the technology will work. If you get the economics wrong, the technology will never work.”

Externalities, an economic term used to describe the effects of one person’s actions on another, are central to building effective security, Schneier said.

For example, U.S. banks do not spend heavily to defend against identity theft because they are not affected when such theft occurs. To the banks, this is an externality. However, when banks bear liability for a security breach, such as an unauthorized ATM withdrawal, they make the investments necessary to prevent these incidents from taking place, he said.

The same economic lessons can be applied to software vendors. To improve the security of software, Microsoft Corp. and others should be made liable for selling software that is not secure. “When you use buggy software and you lose data, that’s your loss and not the software company’s loss,” Schneier said.

That needs to change, according to Schneier. “The organization that has the capability to mitigate the risk needs to be responsible for the risk,” he said

HITB runs through Thursday, Sept. 21.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now