When will vendors put safety first?

Neil Barrett

For the last few days, I’ve been suffering from two modern IT plagues: a denial-of-service attack against my email service provider and a virus that has infected my daughter’s computer. Both have cost me irreplaceable hours of time – on the one hand, to find a way of sending and receiving important emails while I’ve been out of the country and on the other, the effort of disinfecting my daughter’s computer and installing improved antivirus applications.

It seems that in business and elsewhere, we need to be increasingly aware of information security. Every one of us receives a daily torrent of unsolicited email; every one of us needs to buy and maintain some form of internet security; and every one of us needs to be wary of where and how our credit cards are used on the web.

Of course, there are analogies with other walks of life. Drivers need to be aware of the risks they face, and respond with appropriate measures – from the simple task of wearing seatbelts, to the on-going requirement to be vigilant while navigating the streets. And of course, there are accidents.

But there are things that can be done for information security to augment users’ vigilance – in the same way that airbags and crumple zones augment the careful driver. Operating systems can be better configured, so that the default settings are secure rather than not; web servers can also be better configured, as can email servers. And infrastructure can be improved if the producers of the server software can be persuaded that it is in their best interests to do so – just as the car manufacturers were persuaded to introduce crumple zones and airbags.

What caused the changes in the car industry? To an extent, government regulations; but to an even greater extent, the insurance companies who tired of paying out on avoidable injury claims.

How could this model be applied in the IT industry? Well, if web sites and service providers had to be insured against loss – and therefore had to report incidents, introduce mandatory improvements, and recompense users for loss – then there would be pressure to improve. This, of course, could not be globally applied: there will always be web sites that fall outside of normally-regulated environments, but it would go far to help those of us who only access “normal” web sites in well-policed countries.

We are all so dependent on those sites and supporting infrastructure that we deserve better protection. We should all decide what level of information security we need and then demand the key players meet that requirement.

Then, hopefully, my daughter won’t catch a virus from a web site and my email service will continue to be available to me. And I can concentrate on earning the money to pay for those things.