Lack of security investment leaves businesses open to threats, says study

A study by PricewaterhouseCoopers has shown that three-quarters of UK businesses, hampered by skill shortages and a lack of...

A study by PricewaterhouseCoopers has shown that three-quarters of UK businesses, hampered by skill shortages and a lack of investment in security, are condemned to security breaches.

IT users worldwide are being targeted in educational campaigns by technology heavyweights such as Microsoft, which claimed it can only do so much to reduce security threats without more user co-operation.

Jonathan Perera, Microsoft's senior director of product management in the Security Business and Technology Unit and speaker at the InfoSecurity Europe 2004 conference in London, called it "the grey matter bug", users clicking on buttons they should not, inadvertently downloading viruses and opening the door for other security breaches unawares.

Microsoft is fighting this particular bug through broad educational campaigns, targeting both IT students by supplying educational materials for IT security course work, and end-users via its software.

"I think we can use software to educate users about software security," said Perera. That is what the company is planning to do with Windows XP Service Pack 2, due out later this year, he added. 

Service Pack 2 will include prompts to help users establish firewalls, block pop-up ads and update anti-virus software.

"We want to reduce the attack surface of our products," he said.

Microsoft chairman and chief software architect Bill Gates recently outlined moves to isolate threats and increase product resiliency and quality, as well as broad educational efforts.

The company is also working with an increasing number of third-party software suppliers and security researchers to reduce security threats.

David Litchfield, managing director of Next Generation Security Software (NGSS), said that Microsoft is doing an enormous amount to improve the security of its products.

NGSS is working with the company to detect and analyse potential threats. Two and a half years into its Trusted Computing initiative, Microsoft has cited a fall in the number of critical and important security bulletins it has released as proof that the measure is working.

Windows Server 2000 had 42 critical and important security bulletins, whereas Windows 2003 has had 13, Perera said.

While Microsoft looks to end users to help further reduce threats, there is still user frustration over having any security bulletins at all, prompting large amounts of lost time and money to patch systems.

"Microsoft needs to do more," said conference attendee Richard Holt , who works in IT support for a London company. "Each patch is a headache."

Scarlet Pruitt writes for IDG News Service

Read more on IT risk management