Like all the big, crunchy questions, the answer is a lot more complex than initially seems possible.
 
You could take some sort of statistical approach – what proportion of businesses deploy antivirus software to their desktops? – and come up with a big number that implies ‘yes, it does’. (Or maybe not).
 
You could interview the CTOs of a representative sample of large organisations and ask them for more in-depth examples and views. Again, it’s pretty likely that you’ll come up with a positive picture.
 
However, those results are misleading in some respects. And I think that’s because the question involves two big abstract terms. ‘Business’ is an idea, not a person, so it doesn’t care about anything much. Security doesn’t appear on the mission statement, I’d be willing to wager. Nor would it be appropriate for it to be there. Alongside things like Health and Safety, environmentalism and equality of opportunities, it’s the sort of thing we expect businesses to care about, but we know it’s not their primary function. And does ‘business’ mean the board, the IT department or every single member of the organisation?
 
Similarly, ‘security’ is extremely slippery as an idea: we’re talking about systems, software, attitudes, processes and policy.
 
So to break it down: does Jon in logistics make sure his internet browser is patched* to the currently advised levels? No, he couldn’t care less. He’s got a big shipment that needs to be in Paris tomorrow – so don’t start messing with his machine right now, thank-you very much. But he does care –a lot – that his system works and that he doesn’t get in trouble.
 
What we keep arguing for is an holistic approach to security. That doesn’t mean that we need to persuade Jon that his patch levels need to be up-to-date. That isn’t going to happen. Sorry.
 
What it does mean is that the security and IT department are able to manage his security for him – all the time. It’s pretty much impossible for Jon to screw-up or for his machine to get compromised because the policies are baked into the processes and the technology.
 
What are your views on this? Voice your opinions on the Register’s Security That Fits Workshop before it closes later this month.
 

 

So once again many many thanks, and here’s to next year!

___________________________________________________________________________________________

I am very proud to be able to say that Countermeasures has been shortlisted for the Computer Weekly IT blog awards 2009 in the IT Security category.

 

So firstly, many thanks to all of you who felt motivated enough to nominate the blog in the first place.

 

Now the contest heats up as voting has opened, so if you’re a regular reader, or are simply coming here for the first time and like what you see please head over to the voting page at Computer Weekly and vote for Countermeasures in section 9: IT Security.

 

Thanks again for reading and now back to your regular program.

Back in June of 2008 you may remember there was some noise in the IT press, as Trend Micro was declining to participate in some of the well known anti-malware tests, such as VB100. Our argument at the time, and this still stands today, was that those tests simply do not accurately reflect the threat as our customers encounter it, and as such the results may offer a false sense of security.

The internet has emerged as the most abused attack vector, attacks are multi-variant, multi-protocol, distributed in source (botnets), often targeted in nature and can no longer be defeated by the pattern-matching techniques that have been at the core of security software for so long.

Traditional security product testing has mostly been conducted in an isolated lab environment with a selected list of malware and this does not allow modern security software to perform to the best of its abilities. Trend Micro uses the internet based capabilities of the Smart Protection Network to provide real-time dynamic protection, focusing not just on the malicious file, but the malicious email and web site as well, creating smart correlated rule-sets designed to thwart malicious activity.

This is a threat-centric philosophy not a file-centric one. The aim is to break the chain of infection, or block the threat, as early as possible; looking first at the “exposure layer” or where threats come from and subsequently at the infection layer, or “what the threat does when it arrives”.

Independent and importantly unsponsored testing, from NSS Labs, has just been released that underlines the importance of this new approach. In July and August of this year NSS Labs performed 17 days of 24×7 testing on 9 consumer and 10 enterprise products.

Is Trend Micro’s cloud-client Smart Protection Network ready for prime time? I think the results speak for themselves…

"Trend Micro achieved the best download and execution protection with 96.4% overall" - Source: NSS Labs Consumer Report, September 2009

NSS Labs Consumer Report, September 2009

NSS Labs Consumer Report, September 2009

Download the full reports from NSS Labs here