Yes, Security Is Still Important in 2009
Quite frankly, it’s even more important than it has been in the past.
This morning, I was reading some articles on information security, including news about the Conficker worm. You know, we haven’t had a really good worm in 3 or 4 years, so it seems that people have forgotten about how dangerous those things can be, and how much damage they can cause is a very short period of time. So far, over 10 million (say it now, 10 meeeellion) systems have been affected. This is a sophisticated piece of malware that probably still has a few tricks up its sleeve.
Worms had fallen out of favor for a while, because it is much easier to breach systems and networks if you’re stealthy, than if you make a whole lot of noise and tear up the Internet. A recent article published by InfoWorld shows that data breaches rose sharply in 2008. A part of the credit goes to the various disclosure laws that have gotten onto the books that force companies to admit that they were breached, but even accounting for that, you can see that things are not getting any better on the security front.
So, it was with great surprise that I read an article in InfoWorld where the author alleged that most companies have a good patch management process, and thus the “alarmist Patch Tuesday announcements” are unnecessary. Now, I don’t know which companies he sampled, or what his sample size was, but I can say from a sampling of a dozen or so organizations that I have knowledge of in this area, many are lacking. More than that, even some of the organizations that do have patch management processes in place are happy to get the “alarmist” Patch Tuesday announcements, because these are helpful in conveying urgency to business divisions that don’t see any visible evidence of problems.
You can bet that a significant percentage of those 10 million systems infected with Conficker are on corporate systems. I’ve been in places where even with a clearly defined maintenance window for servers, there was regular pushback by the business users as it pertained to *scheduled* server downtime. Businesses need to take security alerts seriously, and to the extent that there are diligent security experts who are clearly outlining the risks and remediation options available for the harried and understaffed security teams, they should be commended, not maligned.
It will be interesting to see if we have actually learned anything over the past few years as it relates to operational security, or if we have simply been lulled into a false sense of security because of the lack of visible worm attacks.
For more information about Conficker, see the following articles and reports:
The economic downturn only makes it more important to be on top of security issues, because businesses cannot afford any type of service disruption or loss of consumer confidence. Lest anyone think that security is a Windows-only affair, Apple has just released their first patches for 2009. 48+ patches.
2009 is already shaping up to be a major year in information security, to say nothing of regulatory and industry compliance. These two issues will be crucial to the survival of many organizations this year.
Will you be ready?