Real security experts' key recommendations could fit on the back of a Post-it note. Unfortunately, the telecoms and IT industry is determined to press dated and overpriced antivirus apps on SMEs and consumers alike. There is a better way.
CSPs are selling a security model the professionals won't rely on for their own security
Not long ago, Google Labs researchers asked a sample of security professionals what precautions they took to defend their information security. Then they polled the general public. The differences were stark.
The single biggest recommendation from the experts was "patch, patch, patch." The public, however, trusted overwhelmingly in antivirus apps.
Two different models of security are at work here. The public sees security as a product, like a packet of cornflakes. You buy AV apps and you'll be OK. The experts see it as a consequence of sound IT practices in general. Keeping all your software up to date, using two-factor authorization, and minimizing password reuse are features of good systems administration, and security is inherent in them.
The experts are right – not only is AV unlikely to help you against phishing, browser exploits, or attacks on connected devices, it has become a security risk in itself, and an especially serious one because AV apps need to run with administrator privileges to work. Trend Micro, for example, has been the subject of more than 200 reported exploits since June 2016 across 11 products. Mozilla distinguished engineer Robert O'Callahan recommends chucking AV entirely.
In this light, it's depressing to look at most CSPs' security offerings. Consumers and small businesses are invariably offered resold AV applications. At the other end of the scale are bespoke consulting projects SMEs can't afford and don't need. There's a reason for this. Defining something as a one-off sale of packaged software means it's relatively simple to sell it. Like cornflakes. Again like cornflakes, the margins aren't great, but at least it's something.
We can do better than this. We know that SMEs are hungry for technology advice and effective IT support. The basic security discipline of the top three recommendations is exactly the kind of thing better IT support can deliver – and it fits closely with the wider agenda we need for success.
"'...no one can hack my mind': Comparing Expert and Non-Expert Security Practices." Available from https://www.usenix.org/system/files/conference/soups2015/soups15-paper-ion.pdf [accessed February 1, 2017].
"Hackers Tear Apart Trend Micro, Find 200 Vulnerabilities in Just 6 Months." Available from http://www.forbes.com/sites/thomasbrewster/2017/01/25/trend-micro-security-exposed-200-flaws-hacked/#7ad9d7b355d6 [accessed February 1, 2017].
"Disable Your Antivirus Software (Except Microsoft's)." Available from http://robert.ocallahan.org/2017/01/disable-your-antivirus-software-except.html [accessed February 1, 2017].
Alexander Harrowell, Senior Analyst, SoHo & SME ICT Services