Security Hysteria: Let's Cut the Hype

Citigroup, Sony, Facebook, and Apple -- the hysteria over security and privacy breaches is drowning out rational thought. I'm not saying there isn't a problem -- hacker gangs are operating like a well-organized cyber-Mafia -- and doing real damage. But take a deep breath, counsels Avivah Litan, a veteran Gartner security analyst. "You've got to distinguish between attacks -- there are lots -- and damage -- where there's much less," she tells me.

Consider the recent hack against Citigroup. For all the front-page stories in the New York Times and the consternation in Washington, D.C., it appears that in the end, nothing useful (to criminals, that is) was stolen. "They did not get the good stuff," says Litan.

Or think about the endless hand-wringing about location data stored on the iPhone. In the end, there wasn't one single instance of real harm that anyone claimed, much less proved. When you think about it, many of the privacy issues we hear so much about come down to a tracking cookie on your hard disk that results in a relevant ad being served up. So what?

But while we're sweating over threats that don't have real-world consequences, we're missing threats that do. My fear is that the hysteria will get picked up by the techno-peasants in Congress and we'll wind up with burdensome regulations that will do more harm than good.

Vendor FUD threatens user security
To be clear, neither Litan nor I are claiming that there are no serious security threats or that they haven't caused significant damage. They have, of course, and it probably costs the economy billions of dollars a year -- real money, even in these days of trillion-dollar expenditures and deficits. And the recent attack against Lockheed had serious national security implications.

But are we facing a dual crisis caused by criminal hackers and feckless companies, like Facebook, eager to ream your privacy? We are not.

It's very easy to panic when you read about security breaches day in and day out. Much of the hysteria comes from what I call the vendor-blogger complex. Security companies make their living selling security products and services, so it is in their interest to stir the pot from time to time. Because bloggers and tech publications live and die by page views, it's awfully attractive to take a report, puff it up a bit, write a scary headline, and reap the rewards.

I'm not suggesting that reputable companies like Symantec are making stuff up -- they're not. But my mailbox is full of reports by security vendors, and when I read them carefully or interview the authors, I've noticed that many of the threats they highlight haven't appeared in the real world. Yes, they exist, but there's often no evidence that anyone has been victimized. Indeed, the constant drumbeat of scare stories may well result in a "cry wolf" syndrome, where users simply stop paying attention and even neglect prudent security precautions.

Small business isn't protected
Instead of worrying that some advertiser will follow your browser from site to site, you might want to worry that law enforcement can follow you (not your avatar, but you) by accessing data on cellphone towers -- without a warrant, says Rebecca Jeschke of the Electronic Frontier Foundation. Or maybe you should read reports of a recent federal memo that says FBI agents can rummage through your trash without a warrant. Now, those are privacy violations.

Federal law and commercial practice protect consumer bank accounts from electronic theft, and fake purchases made with your credit card are reimbursed. But if you run a small business, you don't have that protection -- and that's something to get worked up about, says Gartner's Litan.

For example, the account of Maine-based Patco Construction was hacked to the tune of $500,000 or more recently, and a court held that Ocean Bank, the institution that held the money, was not liable. Comments Litan in her blog:

Current laws protect consumers, probably because legislators realized long ago that they couldn't necessarily protect themselves. Small businesses especially have the same issues -- the threats have moved beyond small business ability to stop them via most commercially available antivirus software and personal firewalls.

While major banks like Citi spend millions of dollars on security and share information with other major banks, smaller banks and the third-party services they use to settle transactions aren't nearly as sophisticated, says Litan. Wouldn't it make sense to protect the small businesses that depend on them? You can bet that institutions like Ocean Bank will tighten security when they're on the hook for damages to commercial customers.

The lesson of Sarbanes-Oxley
Talk to executives at almost any public company and you'll hear complaints about Sarbanes-Oxley; the financial accountability regulation is expensive, burdensome, time-consuming, and on and on. That's all true, and there have been calls by some Republican presidential candidates to repeal it. Odds are it won't be repealed -- a very good thing despite the law's flaws.

Sarbanes-Oxley was enacted because public companies were abusing shareholders by withholding relevant information and disguising bad news under a cloud of accounting double-talk. Public companies asked for trouble, and they got it.

The same scenario could enfold if real security breaches continue and fake security and privacy concerns continue to be wildly hyped. Some regulation, like the banking change I mentioned, should happen. But a sweeping cyber security or online privacy law enacted by an institution that doesn't understand technology could be dangerous and, at the very least, create a huge burden for IT.

Finally, as my colleague Galen Gruman pointed out this week, users need to assume more responsibility for their actions. Taking simple precautions, like changing passwords and -- above all -- paying attention to the online environment (don't click OK to everything) would go a long way toward mitigating threats and quieting the hysteria.

I welcome your comments, tips, and suggestions. Post them here so that all our readers can share them, or reach me at bill.snyder@sbcglobal.net. Follow me on Twitter at BSnyderSF.

This article, "Security hysteria: Time to cut the hype," was originally published by InfoWorld.com. Read more of Bill Snyder's Tech's Bottom Line blog and follow the latest technology business developments at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Subscribe to the Security Watch Newsletter

Comments