The Fear Factor
Putting the frighteners on customers just doesn't work any more, despite the risks involved in remote networking, reports Nick Booth in part three of a five-part security series
<
Organised crime has come a long way since the Krays used to terrorise local businessman.
Back in the 1960s, it was common for a new business to receive a visit from a gentleman with a flashy suit and expensive motor. While the proprietor of the business was still wandering how such a cocky young upstart could afford these luxuries, the brash gunslinger would hit him hard. This is a nice business you've got here, he'd begin. Wouldn't it be a tragedy if someone was to come along and trash it? You could lose all your customers overnight. Once they've been scared off they'll never come back, he'd point out. He'd follow up this advice with what modern salesmen call a leading question, like 'and we don't want to get the police involved in this, do we?'
It was called a protection racket. You were forced to pay a regular sum of money to make sure some hidden threat never materialised.
Pretty soon, the hapless pub manager or restaurateur would find these young thugs spending a lot of time hanging out on their premises, demanding free drinks. Often they brought their big bosses along, with their associates, or partners, as they laughably called them. These solution providers always proved far more unpalatable than the imagined threat. As ever, the police were pretty useless at combating the problem. Lack of resources, you see.
How things have changed. These days the criminals all have typists' hands. They're all sitting behind keyboards, somewhere in eastern Europe, cursing the day the KGB laid them off, and trying to work out how to turn those espionage skills into gainful income. Gone are the knuckle dusters, crow bars and chivs. These days, the tools of the criminal's trade have names like virus, worm and Trojan. Villains don't hang out in West End nightclubs surrounded by celebrities any more; they're much happier with a simple pursuit like phishing.
Scare tactics
Some elements of the old protection racket are intact, however. SME businessmen are still being visited by aggressive young men from the lower orders, who arrive in flashy motors, their gaudy jewellery clashing terribly with their expensive-looking suits. They still issue serious threats (Wouldn't it be terrible if your server went down? What if you lost your customer database? Did you hear what happened to Barcloyds Bank? Terrible business eh?) and try to scare the hapless proprietor into paying them a regular retainer.
The only difference is that these unwelcome visitors are now called IT salesmen. And these days the small business proprietor sees through these threats and politely shows them the door.
Now, some bold IT vendors are calling for an end to this ghastly practice. The IT industry's young gunslingers have shot themselves in the foot. Threatening people with terrible consequences is terribly counter-productive, says Marc Thompson, managing director of Avant, a mobile computing and security vendor.
"Scare stories are so naff. That's not the way to sell security. I don't think businesses react well to all that nonsense any more," says Thompson. "In fact, I don't think they ever did."
Thompson says there needs to be a radical rethink about the way security is sold these days. It's time to show a bit more imagination. If you can't do that, showing some understanding might help.
"We didn't set out to get into mobile, or even security. We were led there by our customers. They had a mobile workforce, and they asked us to sort out their communications problems. Following that, they realised there were security implications. We've been successful when we've responded to customers' demands, not by trying to bamboozle them," he says.
Avant recently merged with security firm Logsys, which provides encryption for mobile devices, and is partnering with O2, with which it is launching a channel programme aimed at assisting resellers into the secure remote market. Just like hundreds of other companies before it.
Avant guard
The one outstanding quality Avant might have is a good understanding of the channel, however. "Ten years ago we were fixed-line resellers, so we know what it's like migrating into new markets, like security. That's why we're devising a channel support programme that does everything we would have wanted when we were starting out," says Thompson.
"What resellers really need is someone to fill in the gaps in their service. No reseller ever has the full complement of services." At the most basic level, all an Avant reseller would need is a customer. Avant can provide all the pre- and post-sales support and the installation, and can pay the reseller commission. If the reseller wants to earn more margin, it can move up the value chain by learning how to do all this.
Avant's take on remote working is that mobile workers are likely to be using mobile networks to communicate. They argue that margins might be made in selling the megabytes of corporate data that whiz between a worker's palmOne hand-held computer and the server back at the office.
"For the comms industry, there used to be margins in selling minutes of airtime. Nowadays, resellers' margins are in megabytes," says Thompson. In other words, there's money to be made charging for data that's being sent over mobile networks.
Since these are the early days of 3G networks, it could be that companies won't have learnt how to keep a tight lid on their expenditure on mobile data. That's usually where the big money is to be made in immature industry sectors.
Mobile milestones
You might not agree with Avant and O2's analysis of secure remote networking, but at least they're offering something new and original.
Aventail is another company that's beginning to address mobile users. In April it organised a reseller event in Oxford that explained to 30-odd VARs the need for virtual private networks (VPN) to be established on mobiles and smartphones.
The big issue, says Tony Caine, Aventail's vice president for Europe, is that IPSec, the traditional method of securing remote workers, isn't ideal for 'roving' users who move around a lot. "It's fine for site-to-site security, but the thing about roving users is you never know what connection they'll be using," Caine says.
"They could be using dial-up, wireless or some connection the hotel has provided. The solution we're pushing is clientless SSL VPNs."
Aventail claims its resellers can secure clients by giving them a new set of rules that mobile workers must use before they can get on a network. At least it's an original innovation.
The rest of the IT security sector has settled into a depressing trough of mediocrity. There are hundreds of security vendors now, and very little to choose between them.
It's an uphill battle trying to find anyone with anything original to say about the security market. As Bob Jones, chief executive of Equiinet, said of the exhibitors at a recent security show in London, "Half the people here will be talking rubbish, and two thirds of them won't be making a profit."
There are lots of figures being bandied about. And lots of market statistics, compiled by research companies that, by now, everyone suspects are on the payroll of the big IT vendors. Is this a way to sell IT security?
To a casual observer, the security market seems jam-packed with identical companies selling identical products, all using the same shock tactics to try and attract a slice of corporate IT budget from the same customers. It's a bit depressing. If I was an IT manager, I'd rather run the risk of having the company brought to its knees and the shareholders suing for possession of my house than listen to another morale-sapping lecture about compliance by some IT salesman.
There are a few vendors attempting to make things more interesting. Jones says he has always tried to steer his partners away from pretentious marketing campaigns. Equiinet's security offering is accordingly cheap and cheerful.
It has to keep things simple as it supplies multifunction security appliances for branch offices and SMEs. Though they go up to 500 users, the typical customer has about 40 users. Equiinet claims to have pioneered plug-and-play security by inventing multifunction security appliances, and the simple approach seems to have paid off.
"It's very gratifying to see that sector now being recognised by IDC," says Jones. "They've even given it a fancy title. It's called unified threat management."
The whole kit and kaboodle
The logic is that it's tough for smaller businesses to be experts in security to the level that's now needed. It's impossible for them to judge what they need and then be sure that what they install is working for them. "Our approach is to deal with everything in one unit, get that unit independently validated by Checkmark so the user can have confidence in the product, and then partner with expert resellers that can offer a comprehensive installation and management service," says Jones.
Resellers and vendors don't need to tell everyone the sky is falling in any more, he says. Everyone is aware of the hazards from the internet.
"The broadband revolution has magnified that because 'always on' means always vulnerable. Internet security was the province of larger corporates; now it's everyone's problem, and you can't be half secure. So it's as much of a threat for SMEs as for the big guys," Jones says.
Nevertheless, at the corporate end of the market, emotive language seems to help. Perhaps it helps to convince IT managers that their job is exciting.
"We're in a state of information warfare," says Richard Archdeacon, director of technical services for Symantec. The name of the game has changed, he warns.
"Once the criminal wanted to bring down your computer. Now hackers want your computer running for as long as possible so they can steal money from you, or from someone else. Hacking used to be a personal violation; now it's strictly business," says Archdeacon.
The DIY factor
Many security vendors have been saying the same thing for years, to no great effect. End-users are under enormous threat, and they need to be constantly vigilant. The problem is, most end-users won't want to download constant security patches just in case a new threat has emerged. In fact, having to download a new security patch every other day tends to make people think they were sold an incomplete product in the first place.
You wouldn't buy a car, then expect to get a new windscreen wiper in the post the next day, and be expected to install it. Well, you might tolerate it once. But you wouldn't be impressed if the indicators turned up two days later, followed by the ashtray a couple of days after that.
The solution, according to one service provider, is to hide the complexity from the end-users. Checkbridge operates on the principle that no single vendor can offer complete protection, even in its established niche. It's unrealistic to expect one anti-virus vendor, for example, to cover all bases. The same goes for firewalls. All the different products have their strengths and weaknesses. By combining them all, you can get closer to the goal of building an impregnable defence against attacks.
So Checkbridge offers a managed service, which aims to combine all the efforts of all the leading security vendors. End-users and IT managers, don't have the time to keep up to date with all the developments in the security market.
This sort of security aggregation could be the answer that end-users are looking for, says John Turley, managing director of Checkbridge.
"There are some great products on the market, but each one on its own has a vulnerability that can be exploited," he says. "Any signature-based virus scanner, for example, is fatally flawed as it's only as good as the knowledge we have about previous patterns of attack. If something new turns up, it drives a coach and horses through the virus protection systems."
Anti-complexity protection
Jones agrees that you have to shield end-users from complexity. "People don't want to see the workings. That's very last decade. The logic in the 90s was that it's good to show users what you're doing for them," he says. "But any aspect of IT is very unfashionable now. No-one's interested in how the IT works, they just want it to do its job."
Equiinet's strategy is to make a single multifunction device that carries out all the security jobs.
The SME market, argues Jones, needs a single plug-and-play device that takes care of all the firewalling, anti-virus and intrusion-busting work. More importantly, it should run unobtrusively, and update itself automatically, so users don't know it's there. "There's nothing worse than a security guard that doesn't know its place," says Jones.
The security industry is finally beginning to mature, agrees Amar Rathore, managing director of security distributor EIP Distribution.
"The idea now is to produce intelligent security solutions that only raise an alert when something is genuinely concerning. With fixed networks, IT departments found that they were dealing with millions of false positives, alerts that proved not to be important. They ended up being time-consuming and counter-productive, because the security systems cried wolf so many times that when a genuine problem arose, IT managers often overlooked them," say Rathore.
Now that a great proportion of the corporate network is mobile, there's far more scope for false alarms, so it's imperative that security systems become more intelligent.
Rathore says intelligent systems, such as Countersnipe, which set out to reduce the false positives, will be in big demand among corporates who need to manage mobile workers.
"There's good news and bad news for corporations. The good news is they have mobile networks. The bad news is that their networks are all over the place," says Rathore. "This is our big opportunity to secure those networks for our clients."