Statistics could prove a handy ally in helping companies large and small to ward off cyberattacks, according to one security expert.
Dan Geer, vice president and chief scientist at security software firm Verdasys, urged users to "measure something" in how their IT systems perform.
"You can't improve unless you find ways to keep score," Geer said. "Even if the initial score is meaningless, trends will be important over time." The main issue is to start tracking any system anomalies that might be indicative of security issues or breaches, he added.
Companies shouldn't worry if their methods of obtaining statistics aren't perfect; "good enough" data gathering is fine, according to Geer, whose background is as a statistician.
A well-known security expert, Geer was one of the speakers during a panel discussion on security at IBM's PartnerWorld show last week in Las Vegas.
The initial premise for the debate was the results of IBM-commissioned cybercrime surveys of companies in the U.S. and abroad. The findings indicated that the majority of users see cybercrime as posing more of a financial threat to their businesses than physical crime. With the threat from cybercriminals both external from organized groups of hackers and internal from disgruntled employees, companies are looking to upgrades of antivirus software and firewalls as their main protectors.
Although small and midsize businesses (SMBs) recognize security as their number one IT challenge, many of them still don't see themselves as potential cybercrime targets, according to panelist Howard Schmidt, president and chief executive officer of R&H Security Consulting.
"Cybercrime is indiscriminate," Schmidt said. "It could happen to you."
During a recent trip to Denmark, Schmidt said he'd been alarmed when firms told him hackers would go after U.S. companies, not Danish ones.
To dramatize the point that everyone is at risk, Geer drew an analogy with bank robbing. To steal US$1 million from a physical bank requires guns, planning and personal risk, whereas setting up an automated online hacking attack to steal $1 from one million individuals involves no danger to the criminal. He also warned that there are "no good neighborhoods" online.
So, how best to protect oneself? With many individuals "harmonizing" or using the same user names and passwords for many different online accounts, users are looking towards multifactor authentication technology as a better security bet. The technology combines at least two forms of authentication which can be passwords or personal identification numbers (PINs), physical tokens or biometric data such as a thumbprint or retinal scan.
While Geer says he's no great fan of multifactor authentication, he doesn't have an alternative technology to suggest. "What I fear is that the system will be hard in the sense of brittle, not in the sense of tough," he said. However, having physical tokens might be a way to get individuals to more fully embrace the concept of security, should they treat the tokens in the same way as their house keys, he added.