As that selection demonstrates, system security is a subject which presents the IT journalist with an endless variety of story angles. It’s also one which is almost too scary to contemplate. When I do pay attention to it, as the preponderance of stories this week forces me to, I’m both repelled and attracted.
The repellant part is the cloak and dagger aspect of it: the way the purveyors of security software and services trot out their lists of victims, never naming names (“client confidentiality prevents us”, and always playing for maximum dramatic effect (“the [unnamed] financial institution’s systems were breached within moments of going online”).
The attractive part, of course, is … the cloak and dagger aspect of it.
Writing about security is the IT press equivalent of the — some might say — too-close relationship between the daily media and the police: there’s nothing like a juicy crime (security) story to get readers’ attention. Those who consider it an unhealthily close relationship probably do so because of concern that objectivity goes out the window — that is, the good guys’ claims go untested — in the pursuit of the juicy story.
As I hope I’m getting across, I share some of that concern.
Nonetheless, I also accept there’s plenty of cause for alarm at just how vulnerable systems are. It’s not just the apparent impossibility of keeping out determined intruders that’s worrying, but the unreliability of standard software for keeping even casual website vandals at bay. I’m referring to the almost daily reports of newly discovered flaws in programs as widely used as Microsoft Outlook.
These reports are coming to me with greater frequency than ever courtesy of an alert service run by Auckland company Co-Logic, which monitors hundreds of sources of information on new vulnerabilities. It has a database of thousands of known weaknesses to which it’s adding non-stop.
So what’s to be done to keep out hackers who are clever enough to deface hundreds of websites simultaneously and when holes keep appearing in commercial software, to mention just two of the risks?
In reality, there’s no absolute answer. Every organisation which depends on computer systems needs to work out the cost in terms of disruption to operations or of theft of valuable data for a range of security breaches. It then needs to weigh that against the cost of the best effort at shoring up defences against specific vulnerabilities.
In most cases the answer will not be to attempt to create an impregnable system — most security specialists will admit that’s futile. The best response is to keep up to date on the latest risks and apply the patches, maintain regular backups, and don’t bet the business on your systems and data. If the last point’s impractical, then keep the crown jewels — the data that’s so sensitive that you’re down the gurgler if it falls into the wrong hands — offline. (When e-commerce demands that organisations everywhere connect to the internet, then my last security tip becomes worthless.)
I have no further advice to offer, except don’t be surprised when your security is broken. Just take comfort that we’re all in the same leaky boat.