IT security is a concern for many businesses. At least that’s what a survey at the recent Black Hat conference concluded. Most of the respondents couldn’t be sure that a foreign state-sponsored attack had not occurred in their networks. About half of the people were not confident that their staff could even detect an attacker. That’s a little scary as many of the people felt their systems might come under attack within the next year.
Digital technology has changed the world in many ways, but one of the most amazing to me is how it has leveled the environment in which all of us can interact. No longer does communication, publication, research, even war require the resources of a country or even a large organization. In the cyber world an individual can make as much impact as a large entity. As with most things, this is a double edged sword, and I’m sure many of us will find that vandalism, as well as malicious attacks on our systems will increase in the future.
However the threats, or perhaps the consequences, aren’t severe enough yet. Most companies allow shoddy code, vulnerable to SQL Injection, to pervade their internal (and sometimes external) applications. Security training is limited, and review of third party applications is extremely lax. The respondents at Black Hat are making efforts, but those are a self-selective group. Most organizations would never send an employee to Black Hat events or even monitor the trends and information published by groups like SANS.
I do believe that security will become more and more of an issue. I suspect, however, that until businesses are liable, and decide to purchase insurance, we won’t see much change. Once insurance premiums start to depend on the level of security you implement, I suspect we’ll see the quality of application code increase.