Some security software needs to be labeled with a hazard warning, because it can do immense damage when it goes wrong. Security software glitches can trash client machines, close down access to essential services, trigger false alarms, or even destroy data. As one security pundit recently put it, if 2009 is the year of encryption then 2010 will be the year of lost encryption keys. There’s certainly a lot of truth in that remark.
In the last few days, there have been reports of large numbers of PCs being felled by a false alarm caused by a McAfee update. And, in a separate incident, I found myself cut off from the Internet by an upgrade to my Norton Internet Security software. In my case, the bug seems to have been associated with the fact that I upgraded from a CD rather than a download. But you’d have to be stupid to choose the online option when the CD version is half the price. Greedy vendor marketing strategies don’t help.
Whatever the cause of any incident, however, the key point to note is that security software is getting more powerful and becoming increasingly critical to business operations. That means we need to pay more attention to the design of management systems and the ease of use of product features. Unfortunately, these are probably the two weakest areas of security software. Key management, for example, attracts the least amount of university research. And usability is widely ignored by vendors as it’s not guaranteed to generate product sales.
Both these areas need greater funding from universities and research councils. It’s starting to happen, but there’s a long, long way to go. Education of customers is also important. Again, there are some token gestures, but not nearly enough to ensure that the average citizen or SME can set up a firewall or encrypt their laptops without creating an unsafe environment. Until we overcome these shortcomings, we should be alert to the hazards of security software, especially in untrained hands. Because sometimes a little knowledge can be a dangerous thing.