It’s that annual InfoSec time again and walking the aisles of Europe’s most successful Information Security show, I find myself plagued with a nagging sense of doubt. Why? Scantily clad girls dressed as angels and the sash-climbing acrobats in yellow lycra bodysuits on the Symantec stand were entertaining and colourful enough and even the message on the EP Secure stand warning visitors of the dangers from viruses and “Wormes” instead of “Worms”, should have bought a smile to my face but all I could see in a packed Olympia, was an industry united in a profitable celebration of the failure of our society to properly protect itself from the dangers of living an increasingly online existence.
InfoSec was once again the venue for the release of the latest Government-sponsored survey of information security breaches in the UK, conducted by a consortium led by PricewaterhouseCoopers LLP and while you can find encouragement in the news that large businesses have become more security-conscious, with the total security incidents having fallen by 50% over the last two years, the opposite is true of small business. Here, the average number of incidents has risen by 50% to approximately eight a year. Worse still perhaps in figures that support last month’s smaller eCrime Congress survey, we have an indicative estimate of the total cost of security breaches to UK plc, up by 50% from two years ago, and now approximately £10 billion per annum.
Microsoft which is at last joining the dubious “Windows Client Protection” business with its own anti-virus, ‘Windows Live OneCare’ solution, has been working hard to improve it’s own security credentials with a number of initiatives over the last year and its Hotmail mail service is blocking 3.4 billion spam email messages each day and it has had two billion downloads of its malicious software removal tool in the last year, which tells us something about the overall size of the malicious software problem.
The computing environment that surrounds us today reminds me of a large Termite mound. It’s intricate, solid, highly-efficient and constantly improved. It does however have lots of different openings to the world outside and every now and then, a hungry chimpanzee with a twig comes along and plays havoc with the poor industrious Termite’s defensive structure. Taking this metaphor, a step further and looking at the sheer number of companies displaying solutions at InfoSec, I have to wonder how long business will have to continue spending sizeable sums on information security products that continue to have relatively modest success in mitigating the expanding risks from Netcrime?
It was Winston Churchill who said: “Although personally I am quite content with existing explosives, I feel we must not stand in the path of improvement” and at an earlier InfoSec Show, I released a Microsoft-sponsored report “A matter of trust” which examined some of the many at the challenges facing Microsoft’s Trustworthy Computing strategy and the steadily growing threat from online crime. In the intervening period, InfoSec and the security industry have become larger and more successful, as have the organised crime groups that are busy milking people’s bank accounts, defrauding businesses and stealing the identities of as many as 100,000 people in the UK each year.
So I’m confused. InfoSec is a great show and a wonderful platform for an arsenal of information security and identity products but all the evidence of this year and previous years, suggests that we’re on the wrong side of the arms race to secure the computing environment and that even for the most paranoid of organisations, an unlimited security budget doesn’t offer a safe and bullet-proof existence or to quote Arthur Dent in The Hitchhiker’s Guide to the Galaxy: “Ah, this is obviously some strange use of the word safe that I wasn't previously aware of.”