How many industries can survive with 50% success, even if success is merely performing as advertised?
Talking to the Wall Street Journal earlier this month Symantec’s senior VP, Brian Dye, whose antivirus software is one of the market’s most popular, admitted Norton catches only 45% of cyber-attacks.
Such failure to deliver would not be acceptable in other industries, but digital security has long been failing to halt its adversaries. Speaking at a summit in Amsterdam this week on enterprise security, Eddie Schwartz, VP of global security at Verizon, said: "We’ve created what looks like the semblance of security and the bad guys pretty much drive around the perimeter and do whatever they want."
For the end user, security remains unaccountable. In an interview with CBR last week Hugh Thompson, security strategist at Blue Coat, said: "To the average consumer it’s very tough for them to evaluate the type of companies they do business with." Unlike physical theft, most people have no idea whether they have been breached, and the same is true of businesses.
Internal discovery of breaches has hovered between 15-25% for the last decade, says Verizon’s research, figures outstripped by both police and third party notifications. The motivation is chiefly financial, with point-of-sales systems and the payment details of customers common targets. This means both customers and businesses have much to be worried about.
Legislation playing catch up
At best, the rule of law applies sporadically online. Legislation inevitably has to play catch up with technology, but for more than a decade criminals have operated with an ease that would be unthinkable offline. Piracy is not merely common, but appears to be increasing, as the piracy figures for series such as Game of Thrones demonstrate, and barely a week passes without another data breach report being released warning of danger.
In response, governments are digging their claws further into the web, wrapping business tighter in compliance and, in the case of the EU ruling on the right to be forgotten, demanding more privacy controls for citizens. After Snowden, ministers are more sensitive to data leakage, and will force businesses to straighten themselves out.
Dye and his peers’ lack of concern at the amount of breaches is not mere complacency that the other antivirus software is not faring much better. Digital security has now accepted that prevention is futile. What matters now is recovering fast once you have taken the hit.
What businesses will see is security firms scooping more and more data while breaches are taking place. "When attacker exposes themselves and they start doing things it becomes more visible if you know what to look for," Schwartz said. "There’s this sweetspot where there’s a high detection potential and an opportunity for our industry to get better with things."
Both customers and businesses are likely to be critical of what appears to be a forfeit, but right now, this is all the industry can do. Verizon’s research even indicates that criminals are improving their tactics faster than the opposition. That process will have to be reversed if the digital economy is to retain any credibility.
For now the internet is leaking like a sieve, and everybody’s information is at risk. Businesses must take steps to reassure its customers, and better collaboration across industries is needed, at least if you believe Schwartz.