Gartner slams IT security scaremongers

Many potential security threats are exaggerated, claims Gartner

Companies have been losing out by failing to implement key emerging technologies because IT security risks associated with the technologies have been greatly exaggerated, industry experts have warned.

Analyst firm Gartner identified the five most over-hyped security threats as:

• IP telephony is unsafe
• Mobile malware will cause widespread damage
• 'Warhol' worms will make the internet unreliable for business traffic and VPNs
• Regulatory compliance equals security
• Wireless hotspots are unsafe

"Many businesses are delaying rolling out high productivity technologies, such as wireless local area networks and IP telephony systems, because they have seen so much hype about the potential threats," said Lawrence Orans, principal analyst at Gartner.

John Pescatore, vice president and Gartner Fellow, added: "We have also seen the perceived need to spend on compliance reporting for Sarbanes-Oxley hyped beyond any connection with the reality of the legislation."

Denying accusations that IT telephony is unsafe, Gartner noted that security attacks are rare for IP telephony. Preventive measures for securing an IP telephony environment are very similar to securing a data-only environment, the analyst firm advised.

Gartner added that IP telephony eavesdropping is the most over-hyped threat. Eavesdropping is unlikely to happen since it requires local area network-based access to the intranet.

"Enterprises that diligently use security best practice to protect their IP telephony servers should not let these threats derail their plans," said Orans. "For these enterprises, the benefits of IP telephony far outweigh any security risks."

Gartner went on to predict that mobile malware will be little more than a "niche nuisance" in the foreseeable future.

Penetration of smartphone and PDAs with always-on wireless to knowledge workers or consumers was estimated to be about three per cent in 2005. Gartner projects it to reach approximately 10 per cent by the end of the year.

"Antivirus vendors see huge potential profit opportunities in selling security solutions to billions of cellphone and PDA users," said Pescatore.

"In particular, the antivirus industry sees cellphones as the way to grow sales outside of a flat, commoditised PC market. However, device-side antivirus for cellphones will be completely ineffective."

But antivirus vendors have hit back at the suggestion that they are selling ineffective products. "I completely disagree with that," said Sal Viveros, security expert at McAfee.

"Just like the fixed line world, you need protection at multiple points in a corporate wireless network. Having network protection is a must, but you also need it at the device side itself if you're going to stop infections."

Gartner also poured cold water on claims that Warhol Worms which infect all vulnerable machines on the internet within 15 minutes are a real danger. The analyst firm noted that the SQL Slammer worm had a strong impact on the internet in 2003, but this is the only observed example of so-called Warhol Worms.

Gartner analysts projected that, through 2007, the internet will meet performance and security requirements for all business-to-consumer traffic, 70 per cent of business-to-business traffic and more than half of corporate wide area network traffic.

"Every organisation should consider using internet VPNs, and most should adopt them in some way," said Orans. "Today's internet offers a low-cost, good-enough or better option to the data networks of traditional global carriers."

The analyst firm said that regulations often provide a means to obtain funding for important security initiatives before incidents occur, but most regulations lead to increased reporting rather than increased levels of security.

"Regulations generally take more static looks at issues and generally don't lead to higher levels of security in proportion to the spending required to meet the letter of the law," said Orans.

Dismissing the final misconception that wireless hotspots are unsafe, Gartner pointed out that enterprises can equip and educate their mobile workers with the tools and knowledge to mitigate these threats.

The analyst firm said that mobile users should seek out 802.1X protected access points because they facilitate encryption between the mobile endpoint and the access point.

"Mobile users in hotspots should utilise their corporate VPN connection to protect traffic as it travels through the internet," said Pescatore. "They should use personal firewalls and turn off file/print sharing to protect their endpoints from data theft."