The security industry has a duty to be more realistic,
says security expert Jan Hruska.
If it is true that "sex sells" in the tabloid press, it
is certainly fair to say that "security sells" in the IT media. Any
IT department would prefer to be forewarned about a vulnerability
rather than finding out about it first-hand.
The critical role that the media plays in circulating information
about potential vulnerabilities puts the security industry in a
position of responsibility. It has a duty to provide accurate facts
that can help businesses make informed decisions about current
threats.
Unfortunately, there have been several incidents where threats have
been overblown to make a more interesting story.
Take for example the Anthrax (or Antrax) worm. Coinciding with the
Anthrax scares in the US, one security supplier released a media
advisory warning of this piece of malicious code. In reality, this
virus could be detected by reputable anti-virus software for months
prior to the release. As a result the virus never spread in the
wild.
There are several other examples where the IT security industry has
predicted Armageddon. A particularly high-profile damp squib
involved the outbreak of mobile telephone viruses. Since 2000 we
have heard "experts" predicting that mobile viruses are just around
the corner and that we should safeguard our phones now before it is
too late.
To date, there have been no viruses for mobile phones and the only
malicious code that exists for handhelds is a couple of Trojan
horses and a virus for the Palm - none of which has ever circulated
in the wild.
Of course, one cannot say that the mobile virus threat will never
happen. As mobile operating systems become more sophisticated,
virus writers may target them. The problem is that with so many
false predictions in the recent past, how will people know when the
threat stops being theoretical and becomes actual?
For the IT security industry as a whole - suppliers, analysts and
consultants alike - the media represents a critical way of
spreading news about threats, but it is crucial that they keep
security issues in perspective and stick to the facts.
This way, the industry can avoid creating a "boy that cried wolf"
situation where nobody believes that their network is under threat
until it is too late.
What do you think?
Does the security industry exaggerate the threat of viruses?
Tell us in an e-mail
>> ComputerWeekly.com reserves the right to edit and publish
answers on the website. Please state if your answer is not for
publication.
Jan Hruska is chief executive of anti-virus
supplier Sophos