Fear of the known

New technologies have improved corporate Australia’s security arsenal – but a changing threat profile makes progress invaluable. David Braue catches up with the exploding information security industry.

Information security breaches have that same sort of visceral appeal as a good horror movie: you cover your eyes, but can’t help peeking to see the gory details as the doomed teenagers pick their way through darkened, killer-infested hallways. Just try, however, to leave the theatre and walk back to the car without checking between the rows of cars in that darkened parking lot.

For years, the security industry has been a self-feeding monster, propelled to massive size and public profile by ongoing reports of security breaches.

In the past, the overriding fear was of dramatic financial losses as mysterious black-hat hackers breached company defences to suck confidential data out of our corporate networks. Still too scared to peek at their own potential risk, companies--often fearing the wrath of governance auditors--furiously bought intrusion detection systems (IDSes), smart firewalls, strict user authentication, virtual private network (VPN) encryption and the many other products emerging onto the market.

The hope, of course, was that technology could provide unbreakable information security--but that was difficult with an often unknown and ever changing threat lurking just outside the firewall.

Fast-forward a few years, and the tone of security discussions has changed substantially. Although the threat from malicious outsiders is still back of mind for any information executive, the to-do list has changed substantially as spam, spyware and other nuisance security breaches continue to multiply.

AusCERT’s 2006 Computer & Crime Survey found that about one in five Australian companies had suffered some sort of attack in the previous year, with viruses and worms reported at 45 percent of companies. Average financial loss from the attacks increased 63 percent compared with the year earlier, weighing in at $241,150 per incident.

That has meant big business for security providers, who have scored a big hit in email security after watching infrastructure technologies like IDSes fell relatively flat. Email is an obvious candidate for protection for another reason: IDC recently estimated that an average of 84 billion emails, 33 billion of which are spam, will have been sent every day this year. With total volumes estimated at 3.5 exabytes (3.5 billion GB) this year alone, that’s a whole lot of places for unknown nasties to hide.