By Toby Weir-Jones, Vice President, Product Development, Managed Security Solutions Group, BT Global Services

Last week, we found out that, despite all the progress on both technical and legal fronts, the volume of spam during the first quarter of 2010 increased six percent over last year, according to Google’s Postini group.   

Google offered up some insight but its bottom line was “keep moving things to the cloud so we can take care of them for you.”  Cloud-based or not, an enterprise mail administrator is still going to deal with virus attachments, image payloads and dangerous embedded links coming into their own server infrastructure.  And some users still open/click/download, bless their hearts.  

So what makes a security threat go away?  Clearly, not 100-percent user awareness or 100-percent effective technologies.  Yet management is inclined to think that, if it’s not on the front page of the paper anymore, it must be taken care of.  Positive ROI achieved.  On to new things!

IT Security Managers know the truth is far less convenient.  They’re still dealing with legacy Windows NT boxes, modems, and an inability to keep flash drives out of USB ports.  They set up access control lists and proxy servers, and then have to bypass them because “Somebody Who Matters” can’t get to the scheduler for tee times.  Yet if they go looking for fresh budget on an “old” problem, their entreaties about evolving attack sophistication and more complex use cases get swept aside.

People who control the budgets but aren’t in the trenches need to understand that it’s very difficult to retire a class of threat, especially when the attackers have monetary incentive to keep trying.  Spam works because users keep clicking on the links – even when the mail is in their Spam folder – and the bad guys know this, too. 

A coordinated IT Security Plan needs to ensure that defenses against established threats remain relevant and funded, while emphasizing the advantages of integrated tools to keep the hardware and support footprints under control.  If you’re buying assessments against your perimeter or internal security, don’t strike off the war dialing just to save a few dollars, because a lot of machines still have modems plugged into POTS.  If you have a legacy app which “absolutely needs” some archaic device and all the bizarre workarounds to keep it alive in a current network, spend the money to upgrade the application or build a new solution. 

In the end, it’s like your crazy relative who keeps their ancient vacuum cleaner because “it works fine.”  They don’t want to consider how limiting their choice is and place no value on the extra time and effort they invest personally.  Businesses cannot afford such complacency (or, worse, fear) and IT Security Managers need to be able to communicate the risks clearly and in financial terms.