Security: Things That Didn't Happen in '09 and Probably Won't in '10

We look back at how well GFI's David Kelleher did on predicting what was NOT likely to happen in the security department this year.

At the beginning of 2009, CSO ran an article contributed by David Kelleher, communications and research analyst at security software firm GFI Software, about ten things that wouldn't happen in 2009. At that time, Kelleher gave us his picks for ten things he predicted security pros would want, but were not likely to get, in the coming year.

As we head into 2010, we decided to look back at how the year shaped up and spoke with Kelleher about his prognosticating. His reaction?

"I would say the predictions are spot on," said Kelleher.

Read on to see what Kelleher had to say at the beginning of the year. How did these "fake predictions" shape up in your security program? How do you think they bode for 2010? According to Kelleher, even though the world of security is constantly evolving, the more things change, the more they stay the same.

Fake Prediction #1: Organizations will pay greater attention to security in 2009 The reality in 2009: Breaches continue to plague enterprise security "And pigs will fly!" said Kelleher at the time he made the "unprediction" that organizations would pay more attention to security. "The 'it won't happen to me' syndrome will strike again and thousands of records will be put at risk," he predicted.

Taking a glance at this very long list of breaches that occurred over the last year, it appears Kelleher was, indeed, spot on. 2009 began with a monster breach announcement from Heartland Payment Systems, which disclosed its credit card payment systems had been hacked and millions of clients had had sensitive data exposed.

The list of organizations hit by breaches grew rapidly over the course of 2009. Even security vendors got hit, as CSO Senior Editor Bill Brenner discussed in his FUDWatch column.

Fake Prediction #2: IT security spending will increase in 2009 The reality for 2009: Depends on who you ask CSO reported on a Forrester Research survey at the start of 2009 that found security spending was actually up for some IT departments. The Cambridge, Mass.-based research firm interviewed nearly 1,000 firms for its State Of Enterprise IT Security: 2008-2009 report and found, among other things, that the security portion of IT budgets was expected to rise 12.6 percent in 2009, up from 7.2 percent in 2007 and 11.7 percent in 2008.

But a survey conducted by CSO told a different story. The story, published in February, revealed economic conditions were having a negative impact on the majority of security budgets. CSO polled security-decision makers in over 100 companies about their spending plans for 2009. Of the 159 respondents, 64 percent indicted that the economy was having a negative impact on security spending. Many respondents indicated hiring freezes or staff reductions were necessary due to the financial crisis.

Fake Prediction # 3: Employees will use IT with greater security awareness in 2009 The reality in 2009: The user is still the weakest link Security awareness among employees has always been a challenge for CSOs, and 2009 was no different, said Kelleher.

"You can do as much as possible but the people are going to be your worst nightmare," said Kelleher. "The bad guys have realized that it is so much easier to go through the employee and get into the organization. It is the path of least resistance."

If the breach list mentioned earlier is any indication, it appears employees continued to engage in bad behaviors, like sticking passwords to monitors, and using their portable devices to copy material. By the way, even employees here at CSO are not immune to this kind of bad behavior. Check out this walk-through of our offices where we spot six desk mistakes employees make every day.

Fake Prediction#4: Employees will not fall for phishing and social engineering attacks in 2009 The reality in 2009: Tricky tactics got even trickier. Employees may now know better than to fall for that email from the prince in Saudi Arabia who wants to leave you half of his fortune. But phishing and social engineering tactics have evolved to a new level, and users are still getting duped -- a lot. (See: 9 Dirty Tricks: Social Engineers' Favorite Pick-Up Lines) Specifically, 2009 saw the "scareware" scam explode and it became big business for the bad guys.

Scareware, which feature bogus ads, inform users that: "Your computer may be infected" and urges a of download security software that will scan for viruses, protect computers from future infection or both. Most of these products are scams that provide useless software and, in some cases, are even dangerous because they download malicious code.

People fell for it in droves, said Kelleher. And who can blame them? Most security awareness programs don't keep users up to date on the latest cybercrime tactics.

"Most people don't know these things," he said. "And you can't blame them if they haven't been told not to do these things."

Fake Prediction #5: Employees will pay attention to company security policies in 2009 The reality in 2009: Fat chance If employees were following security policies, you probably wouldn't have the problems contained in the rest of Kelleher's predictions, right? Are your employees ignoring security policies? Or are they not even aware of the policies? CSO spoke with security policy experts Charles Cresson Wood and Scott Hayden for their feedback on the Security, Tools, Templates and Policies library with plenty of examples of security policies in organizations.

Fake Prediction #6: Facebook will be forgotten in 2009 The reality in 2009: Facebook exploded and more organizations allowed their employees to have access Facebook, which now claims to have in excess of 350 million users worldwide, saw growth in the triple digits in 2009, and many of your employees joined up, and logged on at work. In March of 2009, CSO reported on a survey from the Security Executive Council which revealed that 86 percent of organizations no longer block Facebook, Twitter or LinkedIn and allow employees to access these Web 2.0 applications at work. Since the writing seems to now clearly be on the wall about social networking access at work, Kelleher said it is more important than ever to have an acceptable use policy in place.

"Employees need to be told from day one what they can and can't do," he said. "As time goes by, bad guys are constantly finding different ways to use social networking to attack."

Check out 4 Tips for Writing a Great Social Media Policy for advice on crafting rules that address the newest attack vector in the enterprise.

Fake Prediction #7: Employees will not open files from people they don't know in 2009 The reality in 2009: Malicious files now seem legit Facebook, as well as Twitter, the other social networking explosion of 2009, upped the ante when it came to malicious links and files. Hackers got into accounts and sent out mass messages to so-called "friends" and "followers" asking questions to pique curiosity such as "Hey, did you see this video of you?" The source appeared trustworthy, so many users did click, and were promptly infected with all sorts of nasty things. (See: 5 Facebook, Twitter Scams to Avoid)

Another popular phishing scam this year involved an email from popular banks, such as Bank of America, which claimed to need sensitive information due to an account breach. Again, Kelleher stressed that an effective security awareness program needs to be ongoing, so users can be kept abreast of new scams.

Fake Prediction# 8: Company devices and data will be never be lost again in 2009 The reality in 2009: More employees began using mobile devices, more data was lost Kelleher said he was recently asked about his thoughts for 2010 with regard to data loss. Will we see more or less lost devices?

"I think while we will see reduction in the number of devices lost, but the number of cases of records being lost will increase," he said. "Storage devices today can carry so much more information. A single USB stick lost can now make up the loss of ten breaches in the past."

As for 2009, Kelleher thinks the trend that really stands out is the increasing mobility of the world's workforce, meaning the DLP implications became all the more great.

"The more employees are becoming mobile, the more they are using technology to carry data around with them and using devices to transfer data. The more devices are in use, the greater the risk for data leakage."

Fake Prediction #s 9 and 10: Vulnerabilities and threat vectors will decrease and you will have an easy life in 2009. The reality in 2009: Cybercriminals got savvier, stress levels in the security department soared Just as Kelleher predicted 2009 would not be easy, 2010 is shaping up for more of the same.

"I think we are going to see a lot more web-based malware appearing," he said. "In all its different forms; hijacked sites, drive-by downloads, rogue ware."

Also look for insider threats to increase, he predicted, as economic pressure forces people who are, as Kelleher said, "only human," to do what they think they need to do to survive. Ditto the threat of social engineering.

"Social engineering is here to stay as more people use these social networking sites," he said. "This has created a convergence between email and the web and the element of human nature will feature strongly once again."

This story, "Security: Things That Didn't Happen in '09 and Probably Won't in '10" was originally published by CSO.

Copyright © 2009 IDG Communications, Inc.

7 secrets of successful remote IT teams