Gartner slams IT security scaremongers

Many potential security threats are exaggerated, claims Gartner

Companies have been losing out by failing to implement key emerging technologies because IT security risks associated with the technologies have been greatly exaggerated, industry experts have warned.

Analyst firm Gartner identified the five most over-hyped security threats as:

• IP telephony is unsafe
• Mobile malware will cause widespread damage
• 'Warhol' worms will make the internet unreliable for business traffic and VPNs
• Regulatory compliance equals security
• Wireless hotspots are unsafe

"Many businesses are delaying rolling out high productivity technologies, such as wireless local area networks and IP telephony systems, because they have seen so much hype about the potential threats," said Lawrence Orans, principal analyst at Gartner.

John Pescatore, vice president and Gartner Fellow, added: "We have also seen the perceived need to spend on compliance reporting for Sarbanes-Oxley hyped beyond any connection with the reality of the legislation."

Denying accusations that IT telephony is unsafe, Gartner noted that security attacks are rare for IP telephony. Preventive measures for securing an IP telephony environment are very similar to securing a data-only environment, the analyst firm advised.

Gartner added that IP telephony eavesdropping is the most over-hyped threat. Eavesdropping is unlikely to happen since it requires local area network-based access to the intranet.

"Enterprises that diligently use security best practice to protect their IP telephony servers should not let these threats derail their plans," said Orans. "For these enterprises, the benefits of IP telephony far outweigh any security risks."

Gartner went on to predict that mobile malware will be little more than a "niche nuisance" in the foreseeable future.

Penetration of smartphone and PDAs with always-on wireless to knowledge workers or consumers was estimated to be about three per cent in 2005. Gartner projects it to reach approximately 10 per cent by the end of the year.

"Antivirus vendors see huge potential profit opportunities in selling security solutions to billions of cellphone and PDA users," said Pescatore.

"In particular, the antivirus industry sees cellphones as the way to grow sales outside of a flat, commoditised PC market. However, device-side antivirus for cellphones will be completely ineffective."

But antivirus vendors have hit back at the suggestion that they are selling ineffective products. "I completely disagree with that," said Sal Viveros, security expert at McAfee.

"Just like the fixed line world, you need protection at multiple points in a corporate wireless network. Having network protection is a must, but you also need it at the device side itself if you're going to stop infections."