I (Adriel) read an article published by Charles Cooper of c|net regarding small businesses and their apparent near total lack of awareness with regards to security. The article claims that 77% of small- and medium-sized businesses think that they are secure yet 83% of those businesses have no established security plan. These numbers were based on a survey of 1,015 small- and medium-sized businesses that was carried out by the National Cyber Security Alliance and Symantec.
These numbers don’t surprise me at all and, in fact, I think that this false sense of security is an epidemic across businesses of all sizes, not just small-to-medium. The question that people haven’t asked is why does this false sense of security exist in such a profound way? Are people really ok with feeling safe when they are in fact vulnerable? Perhaps they are being lied to and are drinking the Kool-Aid…
What I mean is this. How many software vendors market their products as secure only to have someone identify all sorts of critical vulnerabilities in it later? Have you ever heard a software vendor suggest that their software might not be highly secure? Not only is the suggestion that all software is secure an absurd one, but it is a blatant lie. A more truthful statement is that all software is vulnerable unless it is mathematically demonstrated to be flawless (which by the way is a near impossibility).
Very few software vendors hire third-party vulnerability discovery and exploitation experts to perform genuine reviews of their products. This is why I always recommend using a third-party service (like us) to vet the software from a security perspective before making a purchase decision. If the software vendor wants to be privy to the results then they should pay for the engagement because in the end it will improve the product. Why should you (their prospective customer) pay to have their product improved? Shouldn’t that be their responsibility? Shouldn’t they be doing this as a part of the software development lifecycle?
Security vendors are equally responsible for promoting a false sense of security. For example, how many antivirus companies market their technology in such a way that might be perceived as an end-all, be-all solution to email threats, viruses, and trojans, etc.,? Have you ever heard antivirus software vendors say anything like “we will protect you from most viruses, worms, etc.”? Of course not. That level of honesty would leave doubt in the minds of their customers, which would impede sales. Truth is, their customers should have doubt because antivirus products are only partially effective and can be subverted, as we’ve demonstrated before. Despite this fact, uninformed people still feel safe because they use antivirus software.
Let’s not only pick on antivirus software companies though, what about companies that are supposed to test the security of networks and information systems (like us for example)? We discussed this a bit during our “Thank You Anonymous” blog entry. Most businesses that sell penetration testing services don’t deliver genuine penetration tests despite the fact that they call their services penetration testing services. What they really sell is the manually vetted product of an automated vulnerability scan. Moreover, they call this vetting process “manual testing” and so their customers believe they’ve received a quality penetration test when in fact they are depending on an automated program like Nessus to find flaws in their customer networks. This is the equivalent of testing a bulletproof vest with a squirt gun and claiming that its been tested with a .50 caliber rifle. Would you want to wear that vest in battle?
It seems to me that security businesses are so focused on revenue generation that they’ve lost sight of the importance of providing clear, factual, complete and balanced information to the public. It’s my opinion that their competitive marketing methodologies are a detriment to security and actually help to promote the false sense of security referenced in the c|net article above. Truth is that good security includes the class of products that I’ve mentioned above but that those products are completely useless without capable, well-informed security experts behind them. Unfortunately not all security experts are actually experts either (but that’s a different story)…