The security industry has a duty to be more realistic, says security expert Jan Hruska.
If it is true that "sex sells" in the tabloid press, it is certainly fair to say that "security sells" in the IT media. Any IT department would prefer to be forewarned about a vulnerability rather than finding out about it first-hand.
The critical role that the media plays in circulating information about potential vulnerabilities puts the security industry in a position of responsibility. It has a duty to provide accurate facts that can help businesses make informed decisions about current threats.
Unfortunately, there have been several incidents where threats have been overblown to make a more interesting story.
Take for example the Anthrax (or Antrax) worm. Coinciding with the Anthrax scares in the US, one security supplier released a media advisory warning of this piece of malicious code. In reality, this virus could be detected by reputable anti-virus software for months prior to the release. As a result the virus never spread in the wild.
There are several other examples where the IT security industry has predicted Armageddon. A particularly high-profile damp squib involved the outbreak of mobile telephone viruses. Since 2000 we have heard "experts" predicting that mobile viruses are just around the corner and that we should safeguard our phones now before it is too late.
To date, there have been no viruses for mobile phones and the only malicious code that exists for handhelds is a couple of Trojan horses and a virus for the Palm - none of which has ever circulated in the wild.
Of course, one cannot say that the mobile virus threat will never happen. As mobile operating systems become more sophisticated, virus writers may target them. The problem is that with so many false predictions in the recent past, how will people know when the threat stops being theoretical and becomes actual?
For the IT security industry as a whole - suppliers, analysts and consultants alike - the media represents a critical way of spreading news about threats, but it is crucial that they keep security issues in perspective and stick to the facts.
This way, the industry can avoid creating a "boy that cried wolf" situation where nobody believes that their network is under threat until it is too late.
What do you think?
Does the security industry exaggerate the threat of viruses? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
Jan Hruska is chief executive of anti-virus supplier Sophos
This was first published in August 2003