An insecure feeling

IT security always reminds me of exercise. We know we have to do it and every once in a while a few of us manage some periodic bouts of sweating, at least for a month or two.

But despite our best intentions, too often we lose our motivation and end up a bit tighter around the waistline, telling ourselves that we’re not in bad shape, that we feel fine. That exercise can wait.

That’s why I get so frustrated when I read reports that warn Canadians about the perils of unhealthy living, or that warn IT professionals about the hazards of poor security practices. Unless you’re one of those people who sue cigarette makers because they failed to tell them that they could be unhealthy, you realize it’s old news. We all know it’s true. Why waste the paper?

That might be a cynical take on the state of affairs in IT security, but I never hear anything to make me think otherwise. At times, the challenges the industry faces seem almost insurmountable.

At the recent Comdex show in Toronto one of our reporters asked attendees about their security initiatives. To a person, they said they’d love to do more, but can’t because their managers aren’t willing to spend money on a problem they can’t see, hear or touch. That’s a tough one to fix. If I knew the best way to convince your upper management to spend more on security – aside from the proven method, which is for something catastrophic to happen first – I’d be rich.

Then there are the commonly accepted practices within our industry. Users are still picking easy-to-figure passwords, or are even sticking with the default settings. And whether it’s because they’re swamped with work, don’t have enough resources or aren’t taking threats seriously, some systems administrators aren’t patching as often as they should.

Then again, their patching workload would probably be greatly reduced if software vendors were more concerned with the quality of their code. “Every day in this country there are companies suffering from damages and losses” that are the result of poorly engineered software, said Richard Clarke, chairman of the U.S. President’s Critical Infrastructure Protection Board, speaking at Def Con, a recent gathering of hackers and security experts in Las Vegas. “The quality control obviously isn’t there.”

His suggestion? That you stop buying buggy software. That’s not very realistic for two reasons – namely, vendors won’t stop issuing buggy software, unless we radically revamp our economic system and, two, from time to time, you actually have to buy software.

Yes, there is some good news. Earlier this summer, San Francisco-based Ferris Research concluded that management need not worry much about viruses infiltrating organizations via the desktop. It found that a 1,400-person organization anticipates a total of about four outbreaks in 2002; each outbreak affecting just individual users. That’s an average of each user getting one outbreak every 350 years or so.

Even when struck, users lose only about an hour of their time chatting with technical people that help with the fix. Ferris says that costs around $25 per user incident or up to $80 if you factor in help desk time.

But the serious outbreaks are becoming very serious indeed – whoppers such as Klez and Code Red may be only the tip of the iceberg, not to mention the viruses that are now infiltrating popular instant messaging software, which may represent a big step backward from the gains made on the desktop front.

But in the back office, it’s situation normal – IT staff pressuring managers, software vendors pressuring companies, increasingly dangerous malicious hackers and cyber-criminals pressuring everyone. Unless we all sit down and get this one figured out, Corporate Canada, and the reputation of IT, will continue to pay a needless price.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now