Security During Hard Times


The financial crisis that has gripped the world economy for much of the autumn could easily touch off a security crisis.


Rani Osnat, vice president of marketing for Sentrigo, told me last week there are a couple of specific dangers. The first is that honest employees might panic or be so angry that they grab some data before they are pushed off the corporate lifeboat. This data can be sold to the bad guys who, like sharks, will be waiting right outside.


The other major area of concern is that the fast pace of acquisitions and mergers will create disruption and make life a lot easier for social engineers. They will be able to slip between the cracks far more effectively as systems are integrated. This might be even more dangerous than in other merger-and-acquisition scenarios, simply because traditional groupings are well thought out and more thoroughly planned than those driven by the cratering economy.


There is a lot to be concerned about. A parallel trend, according to this eWEEK story, is that there is a vast increase in phony antivirus malware. According to the piece, Panda is making the link between the explosion of such software and the economic downturn. The writer suggests that it might be too early to make the connection, but doesn't discount it.


Regardless, the software is being pushed aggressively. The story quotes Panda numbers that say each month 30 million computers are affected by one of the more than 7,000 variants of the exploit. The approach is generating about $14 million a month for the criminals, simply from people who pay for the software. Panda doesn't know whether the criminals are using the credit card numbers they collect to further rip off customers.


An increase in social-engineering attempts against the public is likely as well. Indeed, this is acknowledged in the UK. Apacs, a group identified as the nation's bank-payment industry organization, says that the uncertainty has led to an increase in phishing attacks against customers of customers of Lloyds TSB, HBOS and Barclays. One example was a bogus e-mail asking customers to verify login information as an extra check as Lloyds TSB and HBOS merged.


The financial meltdown and the seemingly unavoidable recession that will follow -- indeed, the experts seem to think that we'll be lucky if it is only a recession -- also will have long-term ramifications.


This ZDNet post says that the last downturn actually helped the security sector. That won't happen this time, the blogger says, though the pain in the security sector likely will be less severe than in other areas. However, it will be pain nonetheless. He says that the coming time will not be one of innovation. The products and services that will thrive, or at least survive, will be those that perform an existing task more efficiently or less expensively. The final prediction is a bit of a downer: A recession means that, over the long haul, there will be fewer people watching machines that will be under greater stress. The result of this, of course, is increased danger.


The post, while not directly addressing security issues, makes a relevant suggestion: Communicate with employees. They communicate with each other anyway, perhaps more so during a crisis. If management gets involved, it can reduce anxiety. The post, written by Leader Networks President and CEO Vanessa DiMauro, offers some solid suggestions for facilitating communications. This seems like a great way to push back against the fear, uncertainty and anger that leads to both malicious and innocent problems.


There are many dimension to the issue of security in a recession. The bottom line, however, is clear: IT and security staffs will have to do more with less in an increasingly unfavorable and even hostile environment.