Technical advances are making computing more secure, but user education must be a priority in the battle against viruses and vulnerabilities
Pervasive computing will be as critical to the economic and social progress in the 21st century as electricity was in the last. Yet, until computing matches the security and reliability of the national grid - always there at the touch of a switch - it will fail to fulfil its potential as the foundation of the information age.
Viruses and vulnerabilities, coupled with limited understanding of how to protect systems from them, threaten to deter consumers and businesses from using computing for e-commerce, education and communication.
No one doubts that the world of software must change and, for Microsoft, security is the number one priority. Trustworthy computing depends on secure systems, reliable products, acceptable rules on privacy, and the integrity of suppliers to respond to security issues.
Isolation and resilience of computing systems, for example, is needed to detect and eradicate vulnerabilities before they have an impact. Software innovations can now quarantine suspect clients and verify compliance with pre-determined rules before allowing network access.
Network access, itself, must be tightly managed and breakthroughs are being made in the field of integrated authentication, for instance, which demands multi-factor proof of identify, using smartcards, biometrics and mobile handsets. Authentication must be reinforced by authorisation and access control.
Simplicity of deploying security solutions is also essential in the fight against malicious software writers. But critical to their deployment is ease and automation. The move to regulated, well publicised security updates is now becoming common and, just as virus writers and hackers intend to be increasingly disruptive, formalisation of patch management is making protection increasingly non-disruptive.
But no matter how secure technology may become, education of and awareness among users and suppliers is critical. Knowledge and new skills will underpin the security of IT systems and networks; they will help protect confidential data and personal wealth.
In an era of rapid broadband growth and always-on devices, of organised online crime and malicious code writers, security knowledge must reach consumers, employees, public services, retailers and financial institutions. This requires speaking to multiple audiences in simple language and with clear instructions that transform behaviour.
All software suppliers must take responsibility to talk to stakeholders and customers. By the end of this year, Microsoft aims to have provided information to 500,000 businesses worldwide, including 14,400 in the UK, to help them to become more skilled to securely configure and protect systems and networks.
Skills and resources vary according to the nature and size of user organisations. Small businesses, in particular, require specific support, with tools that are easily deployed, information that is easily actionable.
Likewise, IT professionals and the developer community must be supported with specific information through training, seminars and workshops, guidance material and software tools. However, the most effective long-term investment in security is in developing skills of those yet to enter the industry.
If security is the priority of software suppliers, it should also be the priority of university research. Some of the UK's first students to be taught secure software development graduated from the University of Leeds this summer. The new course has already produced a fresh batch of recruits to the UK's IT industry, all of whom now have security at the forefront of their mind.
Engineering excellence will always be at the heart of the battle for secure computing, delivering products that are secure by design, by default and in deployment. But at the vanguard of that battle is the education of all individuals in the awareness of online threats and how to protect against them.
Nick McGrath is Microsoft's Security Mobilisation Initiative lead
This article is part of Computer Weekly's Special Report on network security produced in association with Microsoft
This was first published in November 2004