The coverage a keynote delivered by new McAfee CEO David DeWalt to the InformationWeek 500 conference changes topics abruptly about half way through. The first half notes DeWalt's feeling that despite the huge amount of news during the past few years, corporations are paying surprisingly little attention to security. The second half of the story looks at trends that DeWalt expects to transform the security industry.
The first half is worth more attention. Despite increases in compliance-related security and the seemingly common-sense idea that good security is good for the bottom line, cyber crime has become a $105 billion business. Criminals are innovating by taking the best ideas from the online world -- such as automatic updates and highly automated packages that don't require expertise to use, for instance -- and creating agile businesses.
An example of the disconnect between what makes sense in terms of security oversight and what happens in the real world can be seen in this story on the hacking of TD Ameritrade Holdings. The hack exposed the 6.3 million accounts opened before July 18, 2007. It seems unbelievable that after the TJX disaster and other hacks that this still occurred. The kicker is the claim in a class action suit filed this week that the company knew of the situation a year ago. Of course, that is at this point a mere allegation -- but quite a scary one.
While people on the good side seem to be getting no more savvy, the bad guys are getting more targeted and clever. For instance, spear phishing -- in which the criminals learns about and targets individuals instead of sending out mass mailings -- is a growing problem.
The challenges won't get any easier. For instance, this release highlights a survey from Jericho Forum that explores the erosion of the lines between corporations. This trend -- labeled de-perimeterization in the study -- is meant to increase the ability of people in different organizations to cooperate and collaborate. It no doubt does that -- and, at the same time, most likely offers hackers and crackers an all-you-can-eat buffet of ways to wend their way into the enterprise. Federated identity is intended to confront this issue. Hopefully, it will catch on -- but it is a complex undertaking that requires a great deal of cooperation from many quarters to succeed.
Here, Sophos details what possibly could happen to the victims of the TD Ameritrade hack. Though the company says that the brokerage firm maintains that vital user information -- such as username IDs, Social Security Numbers and dates of birth -- were not released. However, Sophos said that the information that the e-mails made available will result in a tremendous amount of spam to those customers and will likely lead to loss of cash by susceptible subscribers.
It seems frightening that security executives still have to worry about whether corporate America is worried. In different guises, the same concern recurs at every turn: That a high level of denial permeates business. The problem isn't the brains of the crooks -- though they are big, and that doesn't help -- but the apparent business-as-usual feeling that predominates the non-security corporate suite.