The good news is that security is finally reaching critical mass in the minds of the corporate executives who authorize IT budgets. Companies may be cutting back everywhere else, but they're maintaining their spending on safety.

The bad news is that security isn't a one-time fix. It's an ongoing process, an effort and outlay that will continually divert IT from the jobs it would prefer to pursue, such as keeping the company's systems going, creating e-commerce applications and simplifying the supply chain.

The worst news is that IT operates in a world where software vendors tend to be all too cavalier about their own role.

Now, I'm not about to let the most malevolent characters off the hook: the people who crack into computer systems for juvenile vandalism or personal gain.

The news has been full of their sleazy exploits, including cases of theft, extortion and more. When you realize that most companies don't tell anyone that they've been compromised, the number of security disasters that have been made public is scary stuff.

But we shouldn't let off the hook the companies selling hardware and software that have more holes than Swiss cheese. Why do we give them a free ride?

It's one thing when the freeware at the heart of the Internet springs a leak. With open-source software, at least, the community seems motivated to fix problems quickly.

But the vendors of IEEE 802.11 wireless networking technology have been selling products that open massive holes in corporate networks. Use a virtual private network if you don't like it, they say. Thanks for your concern, guys.

Then there's Microsoft, whose gross profit margins exceed 90 percent. The folks in Redmond seem to be more concerned with adding features to products than with testing and securing them. Hardly a week goes by without some new exploit of a Microsoft product being discovered -- usually by outsiders, not during the company's supposedly rigorous internal testing.

Microsoft doesn't sell a Windows version of its Outlook personal information management software that handles an elementary security function. Outlook won't allow users to turn off HTML display in their e-mail clients, even though it's increasingly clear that even reading HTML can pose risks in certain circumstances. Customers don't want this capability, Microsoft says blandly, even though its Macintosh e-mail client does offer HTML protection.

Why does IT allow this? Perhaps Microsoft's marketplace dominance has something to do with it. A convicted monopolist can pretty much tell its customers what it wants.

None of this leaves users off the hook. We lock the doors to our houses when we leave for work and lock our cars when we park at the store. Yet we tend to be casual about computer security. Few companies require employees to encrypt e-mail. Firewalls, once considered the first line of defense, are becoming porous as instant messaging and other peer-to-peer technologies take root inside corporations. And social engineering, the art of extracting secret information in a phone call from a person pretending to have a right to that information, is rampant.

Security is a top-to-bottom effort. Vendors need to work harder to plug their leaks. IT needs to give users the training and tools to be safer.

And everyone needs to care more.

» posted by ITworld staff

Computerworld

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine