Spending by most organisations need not be high, he claims, but customers need to know more about threats
An ex-head of government spying agency GCHQ has slammed the security channel industry for being greedy and over-selling its products.
At the NetEvents IT and security symposium in London this week, held on the eve of Infosecurity Europe, Brian Lord OBE, former GCHQ deputy director for intelligence and cyber operations, said: “Most organisations on average only have to spend between £3,000 and £4,000 on security to lift them out of the main danger zone. But the security industry doesn't want them to hear this of course as they want to sell their special bit of tin.”
Lord acknowledged that such expenditure wouldn't make any organisation completely safe from data breaches – no technology available today can – but he claimed that greed in the security industry was preventing companies truly understanding the nature of the threats they face. Lord said: “You have a pile of avaricious vendors who made a fortune out of the 1999 Millennium Bug and planes were never going to be falling out of the sky. But these vendors do not want to promote basic protection which can protect many SMEs using low cost solutions.”
On the other side of the coin, Lord said companies themselves had to do more to understand the threats they faced, and, speaking as a security consultant, Lord said many boards are “nervous about tackling the issue”. “This is because they are not sure they understand the problem and they fear losing control through this lack of understanding.”
Lord said many firms were trapped between a rock and a hard place in securely managing their systems. “Some believe they can't afford to update their systems because they are planning to migrate to different systems, and then they delay protecting what they have.” He said others may invest in new systems but then cut back on fully maintaining them to save money, while some firms try to “lash together” too many different systems instead of fully overhauling underlying infrastructure.
“We are entering a period of more failures like that seen at British Airways, and cyber criminals will be quick to take advantage of any vulnerabilities to be found in infrastructures that are not fully updated,” said Lord.
Carl Gottlieb, consulting director at security VAR Cognition, acknowledged that some vendors and channel players can over-sell their products. Speaking at a session on ransomware at NetEvents, Gottlieb said: “There can be a mishmash of people selling security products. A sales person may well tell a customer their product can do anything that customer wants it to do, but there may be a system engineer somewhere else telling the sales person they can't actually promise that. It's wrong but it does happen.”
His sentiments were echoed by Jason Steer, solutions architect EMEA at vendor Menlo Security. Steer said: “Consumers and SMBs are often being sold security solutions that are not fit for the purpose they were bought for.”