Is There Such a Thing as Too Much Security?

Monday, June 18, 2012

Lee Munson

4ff49873e3fed9a24adf0d37ae00b780

Is There Such a Thing as Too Much Security When it Comes to Your Computer?

Usually, when you hear people talk about computer security, it is about everything that you need to do to make sure that you stay safe. And most of that is usually very good advice.

We all know that the internet has a lot of dangers so it pays to always be on the lookout. If you are not then you will find out very quickly that your computer can pay the price.

But some people get turned off to the message when it comes to computer security.

When something is put in your face so many times you usually have one of two responses: You either pay attention and it becomes ingrained into your way of thinking. Or you can start option number two which is that you are tired of hearing the message and you want to just ignore from now on.

And that happens more often than you think. There are a lot of people who surf the web thinking that because it has never happened to them that they do not have to worry about getting hacked even though they have no protection on the computer.

Some of the people even think that it is all a scam and that the antivirus companies are the ones who are creating the malware and placing it on people’s computer. Of course that view is very misguided but it does not stop a lot of people from having it.

But these people do have a minor point when it comes to the message of computer security in the modern age. While before you would not hear enough about computer security and people did not know that there was a problem out there to worry about, we are now at the opposite end.

People who are in the computer security business are using too many scare tactics. Instead of informing the customer properly they are trying to scare them into using the company’s products.

That is never a good thing and it is the reason why we have so much of a backlash going on now.

The truth is that while you do have a need for a lot of the security products that are out now, you probably do not need all of them. For example, most modern email web host do a check for any malware that is known to the public.

You probably do not need that feature in your antivirus solution. You probably only need that feature when you are using a desktop email client and not one of the more popular web host like GMail or Yahoo Mail.

The needs that you have as a normal individual when it comes to computer security are a lot different than the needs a business might have. So you should not be marketed to in the same manner.

But a lot of these security software vendors do just that. They try to sell products that are meant for their bigger clients to the little guys as well. There is a need for the little guy to be secured but they are not the target that some of the security vendor’s bigger clients are.

When you are talking about computer security you must always be aware of your personal situation. Everyone needs security when they go online but everyone does not need the same amount of security.

For most people an updated antivirus solution and an updated Firewall solution will be all that they need.

Possibly Related Articles:
14691
Security Awareness
Information Security
Firewalls Antivirus malware Security Awareness Marketing Information Security FUD Consumers vendors
Post Rating I Like this!
1de705dde1cf97450678321cd77853d9
Ian Tibble The whole subject of trust in our infosec world is covered in my book in more detail but ... its like the security industry needs bad things to happen in order to validate itself, and this "look, you see, bad things _do_ happen!" thing happens across the board. Service providers break out the champagne and cigars when there's a high profile hack. Really though, if we're well versed and backed up by some years of coal face, infrastructure, tech risk analysis experience, our own confidence should be enough. We shouldn't need "evidence" of a threat.

Its because we haven't gained the trust of our customers (be they C-levels, other BUs, the general public) that some of us feel the need to resort to scaremongering.

The closest things we have to an acid test for the efficacy of anti-virus is whether or not "business-oriented software development professionals", or malware writers, setup their wares to install and update anti-virus if it's not already present. And from what I hear, yes, they're still doing this.
It's not great, never was, never will be, but at least it does something useful occasionally, perhaps. I never want to hear the word "heuristics" in any discussions on security products, or more recently "big data" - but that's a side point.

If you want to see scaremongering, check this out: http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf and there's even a "best practices" pill to swallow too.

So home users need to do all this? What the NSA are doing here is worse than any vendor.

"Everyone needs security when they go online but everyone does not need the same amount of security." Yes - there's a paragraph or two missing from the start of that NSA doc - something like "What do you use your computer for?"

good article, and thanks.


1340084903
4ff49873e3fed9a24adf0d37ae00b780
Lee Munson "..its like the security industry needs bad things to happen in order to validate itself.."

That is so true Ian and, as you say, I too believe that is solely because, "we haven't gained the trust of our customers" which isn't something that seems likely to be fixed any time soon.

As someone outside of the security community looking in I see large companies using bad news to get quick sales and then... thats it. There is little in the way of customer relations, education or support and the only way the client feels their security investment is worthwhile is when they hear the next scare story on the news! But of course they may well not be which is another story entirely...
1340096968
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.