From Bad to Worse

1:55 PM -- Is it just me, or is the whole security industry banging its head against a brick wall?

As we reach the end of the year, analysts and security watchers all over the world are offering annual studies, reports, and statistics on the state of IT security. And after sifting through dozens of such reports over the past several weeks, I have yet to see one that demonstrates any improvement in the security posture of the industry. In fact, most of them report that we have achieved new heights of haplessness.

After a 2007 filled with reports of data breaches of all types -- and the creation of an entire category of products designed to stop them -- researchers earlier this week reported that some 85 percent of companies have experienced at least one reportable breach in the last 12 months, and 63 percent have experienced between six and 20 such breaches. The authors of the study, Ponemon Institute and Deloitte and Touche, described themselves as "shocked" by the results. (See Study: Breaches of Personal Data Now Prevalent in Enterprises.)

After a 2007 filled with compliance and "security awareness" programs, researchers now report that employees are not unaware of the policies -- they are simply disregarding them. In separate studies, both RSA and SecureInfo this week reported that commercial and government users either don't remember what they've learned in security training or actively work around security policies, which they see as obstacles to getting their jobs done. (See End Users Flout Enterprise Security Policies.)

After a 2007 filled with anti-spam technology developments, researchers now report that spam has broken new records, both in terms of volume and as a percentage of total email traffic. A report from Barracuda Networks indicates that spam now makes up some 95 percent of all messages sent. (See Buffer Overflows Are Top Threat, Report Says.)

And those are just the reports from this week. In past weeks, we've seen reports indicating that malware is at an all-time high, that identity fraud has doubled in the past year alone, and that mobile/portable device vulnerabilities are more acute than ever before.

All of this data raises some interesting questions: Are there really more bad guys out there? Or are security vendors and practitioners doing a worse job than ever? Are researchers just finding more threats than ever, in an effort to scare users into buying more products and services? Or have users reached the "fear saturation" point, and begun to simply throw up their hands and do whatever they want?

As we reach the end of the year, it's time once again to take stock of the security situation and ask some hard questions: Is it time to abandon the old perimeter security approach, scrap the AV and the old-style firewall, and look for a new strategy? Should we abandon the "security awareness" bandwagon and simply impose lock down networks and client systems? Is there a way to re-prioritize security defense strategies to stop current attack methods, rather than focusing on threats of years ago?

If this month's research is any indication, it definitely is time to start asking some of these questions. It's fine to stamp out the sparks, but sooner or later, we need to ask where the fire is coming from.

— Tim Wilson, Site Editor, Dark Reading