Rest in peace, antivirus tools. You had a good run for a security technology — 1987 to 2014.
In case you missed it, in May, Symantec called time of death for antivirus software. It did so not because AV technologies suddenly became less effective. Rather, the company finally acknowledged that it’s not a matter of if, but when, an organization will be targeted and that antivirus products will stop only some attacks. Plenty of security bloggers and pundits reacted with glee, given that antivirus software reportedly represents 40% of Symantec’s revenue.
But it’s not quite that simple. Eugene Kaspersky at the Kaspersky CyberSecurity Summit summed up the reality, likening antivirus software to a seat belt — you need it, but it’s not the most important part of your protection efforts.
So when it comes to endpoint security in 2014 and beyond, what is most important? A willingness to aggressively shake up your strategy.
The endpoint is where the security war is now being waged; it has topped our list of breach vectors in the last two InformationWeek Strategic Security Surveys. Among the 2014 Strategic Security Survey respondents whose orgs were successfully attacked within the past year, 76% had at least one malware-driven breach, up from 69% in 2013, and 59% had at least one phishing-based breach. A new approach is required. To extend Kaspersky’s analogy, this is IT security’s “airbag” moment. Air bags significantly reduce the risk of death in serious crashes, but while they were invented in 1952, they weren’t operationally feasible in automobiles until the 1970s and not widely deployed until much later. The catalyst? The invention of the electronic data recorder, which tracks activity to determine when to deploy an airbag. Airbag technology allowed us to shift from building cars to withstand impact (big and lots of steel) to building cars to reduce the effects of an impact on occupants — a significant change that has led to massive increases in both safety and efficiency.
To cope with the changing threat landscape, you need a rich mix of tools and processes, a big dose of vigilance — and to avoid getting discouraged. So many Fortune 500 companies, government agencies, and healthcare orgs have been in the news that we’re seeing “breach fatigue,” leading to some level of disheartenment. We asked the 536 2014 Security Survey respondents, all from organizations with 100 or more employees, what security technologies they would retain if they could pick only three. Our goal was to find out which products earn their keep. The results weren’t encouraging. While 89% have endpoint protection deployed, only 44% would hang on to these products. Most would jettison other widely used technologies, too, including patch and identity management.
As we discuss in the Strategic Security report, it’s apparent that companies are buying products they know won’t entirely solve their problems.
It’s an issue, because no one has unlimited money for security. Just 37% of respondents saw increases in spending, even as the number of attacks skyrockets; 59% make do with 10% or less of the overall IT budget. Most — 75% of more than 400 respondents to our 2015 Consumerization of IT Survey — say the No. 1 barrier to allowing end-users to connect their personal equipment to the organization’s network is fear that the devices are infected with malware.
Guess what? IT’s inability to afford new security products isn’t going to stop the consumerization wave. So we’d better start thinking creatively.
Stayed tuned for the next post in this four-part blog series where I examine the need for shifting our focus to protecting the endpoint.