IT Security - Oversold?

Brendan Burgess

Founder
Messages
53,651
There is a very good article in the Sunday Business Post Computers in Business section by Adrian Weckler suggesting that small businesses worry too much and spend too much on protecting against viruses and hackers.

But while everyone knows that there is always a risk of being burgled, very few companies employ an armed guard and four rottweilers on the premises. That's because the risk of being burgled is proportionately small. And the amount of money to be spent on that security is handled in the appropriately proportioned way.

...the majoriy of Irish companies are low-risk targets. ...It is sensible to have proper IT security but we really do't need as much as some security companies say. It's time to stymie the hype.

The very long article is followed by short responses from Security consultants, all of whom disagree strongly.
 
Hi Brendan

I have not read the article so cannot comment on it directly, however a few points I would like to make from my own experience;

People understand the risks faced in the real world. Thats why we deploy burglar alarms on our premises, have a safe to store important documents and have policies in place to ensure a safe working environment. If my company is a small professional firm then I would deploy burglar alarms and ensure I had good locks on the doors. If my company trades in diamonds then I would ensure that I do have "an armed guard and 4 rottweillers" roaming the building.

Securing your business is all about risk management. You identify the threat to your business, be that burglars, theft from staff, fraud or fire. You then decide what you need to put in place to manage that risk.

In the IT world the risks are not as easily understood by business people and to a certain extent not by a lot of IT people either. However once you deploy computers and/or connect to the Internet, there are still very real threats to your business. Computer viruses, hackers and inhouse threats exist and need to be managed.

Computer viruses are a fact of life, anyone who has a PC has at one stage or another come across a computer virus, just look at the IT forum on AAM. The risk assesment that has to be made is, what impact will a computer virus attack have on my business? This is in the terms of lost productivity, lost revenue and the cost of cleaning up the infection. You then manage that risk the same way you manage any other risk to your business.

Hackers are real and are a threat. The image of someone hacking into your network to steal money is far from reality (unless you are a prime target like a bank etc.) Hackers attack computers to use them for various means ranging from the pure thrill of "owning" someone elses computer, boasting to their friends how many computers they "own" , or using other computers to attack their real target thus hiding their identity. A point to note is that these hackers also employ automated tools that identify and exploit unprotected systems not caring where those computers are. Again this is a real risk and one that needs to be managed. Can your business afford the impact of discovering your systems have been compromised? What about the cost of fixing the breach and the damage to your reputation? On my own PC at home my firewall blocked an attack from a server located in the First Federal Bank of Boston's network. This machine had been automatically attacked and exploited and was then targetting my machine. Having deployed various security tools on my PC I was able to detect and prevent that attack. What damage would that have been done to the bank's business if their server had attacked a major customers system and not some Internet user in Ireland?

I agree that there has been overhype by certain sectors of the IT market, but there is still a lot of truth amongst all the hype. Computers make it easier and quicker to do things including spreading viruses and hacking into systems. While a burglar can only attack one company at a time, a computer virus or hacker can hit many companies at the same time.

From my experience, a lot of small businesses spent little or nothing on managing the risks posed by viruses and hackers simply because they do not understand what the risks are. Once you understand the risk you can manage it appropriately.

C
Major disclaimer, I work in the IT security business.
 
Most commercial features (of which Computers In Business is effectively one) will generally hype up the product/service in question. IT security is no different. You don't read the property supplements for independent, objective and balanced advice about buying property for example? The need for a certain level of IT Security in business (AND AT HOME!) is a real one and people should not be complacent about it but, on the other hand, as with any product or service they need to make informed decisions in order to choose the appropriate level of cover and suitable products/services. Simply throwing money and resources at this or any other business challenge (to use the argot ;) ) is stupid and anybody who does so will probably, and deservingly, go out of business sooner rather than later. The minimum protection that anybody should have in place is (a) an appropriate and suitably configured firewall and (b) an appropriate virus checking infrastructure. In addition they should make sure to keep abreast of system and application patches, fixes, updates, upgrades etc. This is basically the three step programme that Microsoft and others promote. Some organisations may also need or benefit from further enhanced IT Serurity policies and services on top of this (of course I'm assuming a priori that physical security and password/credentials management are already taken care of).
 
Hi 0

Just in case I didn't make it clear, Adrian Weckler is the editor of Computers in Business and he argued strongly that the security is oversold, and I think he even acknowledged that his magasine is a major beneficiary of the advertising which does this overselling.

Brendan
 
Brendan

The Sunday Business Post also sponsors the NITES seminar which is an annual security seminar held in February each year.

C
 
My own experience:

Our company spends around €500 a year on McAfee anti-virus software.
We have a firwall for which we pay around €150 a year in annual maintenance.

Separately from all this, we pay around €2500 a year for an email filtering service. We got this initially to filter for spam, but it doesn't work effectively against spam, because it cannot be tailored to our needs. But it does stop thousands of emails each month with viruses attached.

We haven't had an attack for some years. Before that, we did have problems where clients were refusing our emails because there were viruses attached. This was a disaster for us in terms of earning fees and in terms of bad p.r. It looks very unprofessional to be spreading viruses, especially to clients.

In the overall context of things, €3000 a year seems reasonable.

Brendan
 
I also feel IT security is vastly over-sold. Most money spent on it would be better spent educating users in responsible computing.

Anti-virus companies in particular are snake-oil salesmen, treating the symptom rather than the cause.

What threats does infection pose?
* System downtime - I've had more down-time and reduced performance due to broken anti-virus software than to actual viruses.
* Corruption of data - this can happen due to numerous other causes; you need to have reliable backups.
* Legal damages due to data protection violations (exposure of confidential data etc.) - what is confidential data doing on a system connected to the Internet?
* Negative PR due to outbound viruses - one solution: hold for manual approval any outbound e-mails with attachments.

I am the first to admit this is a contrarian position with little support, even among the technical community. It is based on over a decade's experience developing and installing networked computer systems, including for banks and the health service.
 
(disclaimer - I partly work in security)

Some areas of security are completely overhyped, but saying that isn't the same as saying that security should be ignored. If anything can be solved by selling a product, then the hype merchants will be in selling. Most companies seem to think that spending 10 grand on a shiny box that sits in a corner (doing who knows what) makes them secure - educating users not to share their password costs nothing and probably gives you a greater increase in security.

It's really a matter of cost benefit - unfortunately getting impartial advice is tough when it comes to security. There's also a lot of cowboys who seem to have got into "security" recently. As someone who works in the corporate sector I'd say avoid anyone who starts by suggesting installing a product when you ask them "how much security do I need".
 
Totally agree with hmmm - basically the gist that I was trying to get across earlier. I think that the description of anti-virus vendors as snake oil salesmen earlier is ridiculous. As in any business there are competent and trustworthy vendors and there are cowboys. In fact many of the vendors kindly offer free versions of their tools for personal use as well as free advice/updates.
 
Email Filtering

Hi Brendan,

Did I hear you right when you said that you paid €2500 for an email filtering service?

I assume that you mean SPAM & Virus filtering, but I cant understand why it is costing you so much. Our ISP (UTV Internet) provides these free of charge.

On the point you mad about bad P.R. I completely agree. I work for a small software company and we have 4 levels of security - hardware firewall, software filewall, AV software and regular Windows Updates. Yet despite this we still live in fear of something slipping through, but so far so good. However, despite our defenses we have fallen foul of a slightly different problem - spoofers!

There is a virus doing the rounds at the moment called Netsky (with many variants) that is a mass mailing work that spoofs the "From" address in the mail so it looks like the virus is comeing from someone else.

We started to recieve some emails on Monday stating that emails we had sent had been blocked because they contained viruses. The strange thing was that the emails were from people/companies that we had no previous dealing with (and as such would not be in our address books), but we decided to disconnect our LAN from the internet just in case.

We ran a full check from top to bottom on each and every device before we could be 110% sure that we were not the source, but it took us a whole day before we felt confident enough to re-connect to the internet.

It would seem that one or more of our real clients has been infected, but we are getting the bad PR - how can you fight this?
 
Re: Email Filtering

how can you fight this?
By educating the complainers as to how 'spoofers' work.

I'm not sure that IT security is oversold, any more than cars are oversold, or PRSA's are oversold, or widescreen TV's are oversold. I agree with other posters who point out that emphasis on user education/training is far more important than black boxes. How many users are educated (and authorised) to question/deny entry to an unidentified person who 'tailgates' them through an access-controlled door.
 
Re: Email Filtering

Jason, I work for one of the largest corp's in the world & we spend a fortune on IT security, but we were still hit by the netsky virus ( twice in the last 2 weeks). I think (not an IT person) we just blocked messages with .zip attachments (there was another attachment type but I can't remember I'll find the mail on Monday and advise)
 
Re: Email Filtering

Hi Jason

Did I hear you right when you said that you paid €2500 for an email filtering service?

I assume that you mean SPAM & Virus filtering, but I cant understand why it is costing you so much. Our ISP (UTV Internet) provides these free of charge.

We use eircom net and they don't seem to have any such service. We looked at installing a spam filtering service directly on our server, but it worked out at the same price supplied by a company called TopSec Technology.

But as I said, the spam filtering doesn't work properly but the side effect is that it filters out all the viruses. It also allows us to quarantine executables and emails with offensive language.

I find eircom.net fairly good otherwise. Reasonably good technical support so I would be slow to move. We had disasters before with other ISPs,although that was some years ago now.

Brendan
 
Re: Email Filtering

We use eircom net and they don't seem to have any such service.

Is this not their equivalent?

[broken link removed]
 
Re: Email Filtering

Thanks 0

I will look into that. I get the impression that it's for home users with an eircom.net email address? We have our own SMTP server as distinct from a pop 3 server ( does that make sense?), so I don't know if it applies to us.

Brendan
 
POP 3 & SMTP Servers & Email Filtering

Hi Brendan,

We have MS Exchange 2000 on our LAN which acts as our SMTP server for all outbound mail (SMTP only deals with delivery of mail I think), but we maintain a set of POP 3 accounts with our ISP (we still do not have a public IP address) to receive our emails.

There is a tool called a "POP 3 Connector" that allows MS Exchange to fetch email from POP3 accounts and route them to Exchange users.

The upside of all of this is that we get the benefit of the ISP's SPAM & AV filtering. (We still do our own scanning also)

Jason
 
Re: POP 3 & SMTP Servers & Email Filtering

Bren,


Get a college kid to setup SPAMAssasin (freeware) between mail and internet link, it is good.

spamassassin.apache.org/



Slan / Ed
 
Re: POP 3 & SMTP Servers & Email Filtering

>>Get a college kid to setup SPAMAssasin

With all due respect, as an IT Professional I do have to sigh when I hear of companies trusting their IT infrastructure to untrained and inexpereinced people. I am not saying that technically they cannot do the job but would you get a college kid to set up your accounts or do your legal work?

IT Security is crucial in managing business risks for companies and needs to be done in a professional and qualified manner.

C
 
Re: POP 3 & SMTP Servers & Email Filtering

I appreciate that point, and totally agree that companies need to have appropriate security procedures/mechanisms put in place properly, but I have seen the other side of the coin - e.g. so called professionals not doing the job properly. The company I started working for recently had a badging process to register and badge new employees in Silicon Valley and while it was being carried out by the security personnel we noticed that they were logging into the system with a password of "security". The IT department then issued our domain accounts with default passwords of variations on the word "password" which, due to the constraints of the domain security policy could not be changed until 30 days had elapsed. Initially we only had access to our corporate email accounts over Outlook Web Access, rather than the native Windows Outlook client application, using a an insecure H_TTP link although, on inquiring, I was told that I could use secure H_TTPS if I really wanted to. This is a company which is ranked about third or fourth in its market and has a market cap of c. US$500M! :eek
 
Back
Top