Computer Security: Horror Vs. Hype

Every time you turn around, a new computer security threat pops up.

In addition to hacker attacks, worms and viruses, lots of miscreants have gone phishing, sending e-mails that mimic those sent by banks and credit services. These thieves try to entice the unsuspecting to send back personal information and account numbers. There’s also a lot of buzz about “puddle phishing,” in which identity ripoff artists target unsuspecting, trusting customers of small banks and credit unions. Then there are threats such as mobile malware, which are programs designed to disrupt wireless services; hot-spot eavesdropping, in which hackers invade the electronic communications of mobile workers; and Internet telephony breaches, in which intruders tap into digital phone systems.

Not surprisingly, most technology officers feel a little off balance. A survey published late last year by Ziff Davis Media’s CIO Insight magazine found that just 20% of information-technology executives felt their companies adequately protected themselves from viruses, worms and hackers.

Gartner, the research company, said in a report last month that security threats were causing companies to hesitate before implementing new technologies. But you have to ask yourself: Is it possible to worry too much?

According to Gartner, many of the latest security threats “have been greatly exaggerated.” At or near the top of its list of the most overhyped risks were mobile malware, wireless hot-spot eavesdropping and Internet telephony attacks.

Gartner called mobile malware “a niche nuisance.” Only about 3% of all smart phones and PDAs are penetrated by worms or viruses. For all intents and purposes, this kind of attack “doesn’t happen,” says Amrit Williams, a research director in Gartner’s information security and risk practice.

Companies also shouldn’t be overly concerned about hot-spot eavesdropping. Gartner said non-technical employees with mobile devices may be at risk, but a smart company will just install security software on the devices and educate users about possible threats.

Internet telephony breaches are “the most overhyped threat,” Gartner said. Anyone with malicious intent needs access to the company’s local area network-based intranet, which means the attackers can be easily identified because they come from a pool of known individuals. And when you get down to it, safeguarding telecom systems isn’t much different from securing data systems.

Yes, bad things will happen. But, says Williams, “The goal of security is not to prevent all bad things from happening. You limit the probability of an event occurring. And if it does happen, you limit its impact.”

Take precautions. But take the ones that are right for you. For example, don’t try to shut off every device you think might be vulnerable. Instead, figure out what devices you have and what they’re being used for, and then configure the devices’ features and access levels to limit vulnerabilities. And don’t buy every high-end security product against every conceivable threat. Instead, Williams says, deploy security event monitors that can instantly alert you to any intrusion so you can shore up any breach and limit potential damage.

And then forge ahead. “We have slowed down implementation of new technology to address security concerns, but I can’t think of a time when we didn’t move forward with new technology that made sense to us,” Sue Powers, CIO of travel services company Worldspan, wrote in an e-mail.

Likewise, Finbarr Curran, the chief information officer at the World Food Programme, says the U.N. relief agency postponed a rollout of wireless technologies until it was sure it could secure the system. “We take our time,” Curran said in a message. “But we can and have overcome most obstacles. We are going with wireless later this year.” He says that the agency hasn’t been brought down by a security problem in years.

The trick: Move ahead cautiously—but keep moving.

“When security is disabling a business from becoming more efficient because of fear in the marketplace,” Williams says, “that’s a dangerous place to be.”

John McCormick is executive Editor at Baseline magazine. He can be reached at [email protected].