http://www.forbes.com/home/free_forbes/2006/0605/100.html By Matthew Rand and David Whelan 06.05.06 To sell antivirus software, first you must sell the fear. Verisign, the intrepid Web security giant, issued an ominous warning in December. It predicted an imminent invasion by a worm called Sober, which would infect networks worldwide and clog up the Internet. It would be timed to coincide with the 87th anniversary of the founding of the Nazi party. Other firms joined in a chorus of worry, offering an abundance of soundbites for news outlets. Then in January dozens more reports, similarly circulated by security firms, warned that an e-mailed virus called Kama Sutra would ruin PCs from Seattle to Sri Lanka. Neither outbreak ever occurred. Two small security software outfits claimed credit for blocking Kama Sutra, but Microsoft (nasdaq: MSFT - news - people ) said later the threat was overblown. Vincent Weafer, who runs the security response division at Symantec (nasdaq: SYMC - news - people ), the world's largest seller of antivirus software, concedes both threats were duds and that his rivals overhyped them. "To get attention, you pick something new and say the sky's falling down," he says. Fear-mongering sparks big business in the thriving computer security industry. Spending will grow 18% this year to $38 billion. In 1995 venture capitalists backed all of 3 new security firms; last year they funded 96 newcomers. To stir up business, they ply fearful forecasts and ominous ads. RSA Security's (nasdaq: RSAS - news - people ) annual conference in San Jose, Calif. drew 14,000 this year, up from 10,000 in 2004. Some 4,000 attendees paid the full $1,100 to $1,900 to get spooked in person. The fetish for fretfulness has gotten old. U.S. losses last year from corporate security breaches "declined dramatically," say the Computer Security Institute and the Federal Bureau of Investigation, to $130 million based on a survey of 639 companies. (Other incidents go undetected because companies are too ashamed to report them.) Three-quarters of companies said they had some virus problems last year, but 94% said so in 2001. The improving stats have done little to lift the security industry's mood. Symantec recently warned that instant messaging would be the next source of threats, while flogging a new product that scans instant messages for viruses. In 2003 it called cell phones "the Achilles heel," while promoting new wireless products. "Chief executives are like consumers. They are heavily influenced by what they see on CNN or in the newspapers," says Symantec's Weafer. The antivirus warriors lately have conducted surveys to highlight a glaring security weakness: the gullibility of a company's own employees. Never mind that even their toughest products can't protect much against same. Offered the chance to win chocolate Easter eggs, 81% of London commuters polled gave out their birthdays, pet names and other personal data, possible clues for cracking into their e-mail accounts. The pollsters were hired by the organizers of the Infosecurity Europe conference. Before the same conference two years ago RSA Security performed a similar stunt and found that 79% of people gave out this kind of personal information--free. That prompted a press release: "Internet identity theft threatens to be the next crime wave to hit Britain." In the U.S., RSA, which sells electronic tokens that generate randomized passwords, hired a perky team in "I Love NY" T shirts to scour Central Park and sweet-talk tourists into giving out their mothers' maiden names; 70% did. Newscasts in San Francisco, Miami and Boston ran the story. Christopher Young, an RSA vice president, bristles at any suggestion that the surveys were aimed at stoking sales. "It's hardly that direct." The surveys, he says, are used only to "raise awareness." Some 70% of security breaches are caused by human error, says a March 2006 survey by the Computing Technology Industry Association. Brian Boetig, a supervisory special agent with the FBI's computer crime unit in San Jose, Calif., describes the typical breach: "When you fire an employee and don't change their password, they can get into the system and get information to a competitor." No technical solution there. Says Boetig: "There are people creating problems so they can fix them. But that's marketing for you." © Forbes.com Inc. - All Rights Reserved _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jun 06 2006 - 22:27:02 PDT