Are High-Profile Hacks Spurring Your Security Business?
Hacker collective LulzSec claims that its campaign earlier this year was in part designed to raise awareness about the poor state of corporate and government IT security.
But the recent rash of high-profile cyberattacks and data breaches hasn't produced the kind of business opportunities for which many solution providers and vendors had hoped.
Instead, security solution providers often are finding the same kind of customer reluctance, apprehension and lack of understanding that was common before the arrival of LulzSec and fellow hacker collective Anonymous. And one solution provider believes that the flood of hacker-related headlines, which sound like horror movie titles and seem to trickle out like with alarming regularity, may actually have a negative effect on the IT security business.
"I'd argue that there's been so much news about these attacks that it almost leads to apathy," said Jay Smith, partner and president of sales at Security 7 Networks in Hampton, N.H. The news about hacking campaigns and cyberattacks has been overwhelming at times and he worries that customers, especially smaller businesses, might be paralyzed by the onslaught and not know where to begin to protect themselves.
Chad Curtis, vice president of engineering at Business Communications Inc., Ridgeland, Miss., said the swarm of hacks and viruses this year hasn't helped BCI, either. IT security has become an increasingly significant part of his company's business, Curtis said, but the news of cyberattacks hasn't driven business up at all.
Curtis believes that the problem is simple human nature. "We went through [Hurricane] Katrina in 2005, and you'd think that it would have pushed people to invest in disaster recovery and backup solutions -- but it didn't," he said. "People think something like that will only happen once, so if they avoided it the first time, then they're OK."
That way of thinking is especially problematic with small and midsize businesses, which don't view themselves as desirable targets for hacktivist groups like Anonymous and LulzSec. But the more prevalent threat for businesses is malware, which doesn't care about a company's size or brand and will infect whatever system it can.
Companies also may be suffering from a false sense of security, so to speak. According to PwC's 2012 Global State of Information Security Survey, 72 percent of executives and IT directors contacted said they were confident that their organization's security measures were effective. But the same study, which surveyed more than 9,600 people, showed that core security capabilities -- such as identity management, monitoring employee Internet usage and other protocols -- have been consistently declining since 2008.
"LulzSec and Anonymous certainly raised awareness to a problem that's existed for a long time regarding inadequate security," said Derek Manky, senior security strategist for Fortinet's FortiGuard Labs. "But you still have a lot of people making the same mistakes, so it's going to take time."
Manky said he's seen a rise in more sophisticated malware for both desktop and mobile devices, not to mention more targeted spearphishing attacks on businesses of all types and sizes. The key, he said, is not just upgrading security infrastructures but also educating businesses about "human errors" that typically lead to vulnerabilities and breaches.
NEXT: Changing The IT Security Conversation
Steve Hale, vice president of global channels at Sophos, said news of devastating data breaches and cyberattacks alone is not enough to get businesses to act. The conversation has to be framed around a specific business or industry. For example, cyberattacks can be much more devastating for larger enterprise companies with nationally recognized brands.
"When we see those kinds of attacks, we see a lot of companies that don't want their brands associated with that kind of negative news," Hale said. "So we're getting pulled into those conversations now, which is great."
Compliance is another way to frame the discussion, said Greg Fitzgerald, vice president of global marketing at Fortinet. "We're seeing SMBs take security more seriously today because of compliance," Fitzgerald said. "In some cases, the cost of a government fine could be higher than the cost of repairing a breach or upgrading your network security."
Still, it seems that fear is not much of a motivating factor for investing in IT security. So what is driving the security market today? Solution providers say it's a variety of factors.
Security 7’s Smith, for example, said that infrastructure consolidation allows his company to get its foot in the door much more often than any one cyberattack or virus. "There have been flavor-of-the-month attacks and viruses as far back as I can remember, and they don't hurt business, but my phone's not ringing off the hook because someone saw a LulzSec attack in the news," Smith said. "The big driver for us is redundancy. Companies are trying to reduce redundant systems and they want to find out what they need to do to stay protected as they change their infrastructure."
BCI, meanwhile, has taken a different approach with security. The company built its own 4,500-square-foot data center earlier this year and recently launched BCI Cloud Services for private cloud hosting. Because cloud computing is the hot technology these days, Curtis said BCI Cloud Services has been in high demand -- and BCI is using that demand to bolster its security practice. In short, BCI won't let customers access its cloud without adequate, up-to-date security measures, which gives the solution provider a way to sell security solutions along with cloud services.
"Cloud is now the enabler for security," Curtis said. "It's a good excuse for us to get customers' security up to speed."
Still, security faces an uphill battle for scarce IT dollars. Hale said there are still economic factors holding back companies from making IT investments, and it gets even more challenging when you move down from the enterprise level. "There's no enterprise company today that's going to skimp on security," Hale said. "But there is much more education that needs to be done in the SMB market about security."
It's going to take more than a magic bullet in the form of a major data breach or hack to change the way businesses think about security, Curtis said. "Customers are more concerned sometimes with the cost of removing malware rather than what the malware is actually doing to their machines," he said. "And that needs to change."