By Matthew Rand and David Whelan
To sell antivirus software, first you must sell the fear.
Verisign, the intrepid Web security giant, issued an ominous warning
in December. It predicted an imminent invasion by a worm called Sober,
which would infect networks worldwide and clog up the Internet. It
would be timed to coincide with the 87th anniversary of the founding
of the Nazi party. Other firms joined in a chorus of worry, offering
an abundance of soundbites for news outlets. Then in January dozens
more reports, similarly circulated by security firms, warned that an
e-mailed virus called Kama Sutra would ruin PCs from Seattle to Sri
Neither outbreak ever occurred. Two small security software outfits
claimed credit for blocking Kama Sutra, but Microsoft (nasdaq: MSFT -
news - people ) said later the threat was overblown. Vincent Weafer,
who runs the security response division at Symantec (nasdaq: SYMC -
news - people ), the world's largest seller of antivirus software,
concedes both threats were duds and that his rivals overhyped them.
"To get attention, you pick something new and say the sky's falling
down," he says.
Fear-mongering sparks big business in the thriving computer security
industry. Spending will grow 18% this year to $38 billion. In 1995
venture capitalists backed all of 3 new security firms; last year they
funded 96 newcomers. To stir up business, they ply fearful forecasts
and ominous ads. RSA Security's (nasdaq: RSAS - news - people ) annual
conference in San Jose, Calif. drew 14,000 this year, up from 10,000
in 2004. Some 4,000 attendees paid the full $1,100 to $1,900 to get
spooked in person.
The fetish for fretfulness has gotten old. U.S. losses last year from
corporate security breaches "declined dramatically," say the Computer
Security Institute and the Federal Bureau of Investigation, to $130
million based on a survey of 639 companies. (Other incidents go
undetected because companies are too ashamed to report them.)
Three-quarters of companies said they had some virus problems last
year, but 94% said so in 2001.
The improving stats have done little to lift the security industry's
mood. Symantec recently warned that instant messaging would be the
next source of threats, while flogging a new product that scans
instant messages for viruses. In 2003 it called cell phones "the
Achilles heel," while promoting new wireless products. "Chief
executives are like consumers. They are heavily influenced by what
they see on CNN or in the newspapers," says Symantec's Weafer.
The antivirus warriors lately have conducted surveys to highlight a
glaring security weakness: the gullibility of a company's own
employees. Never mind that even their toughest products can't protect
much against same. Offered the chance to win chocolate Easter eggs,
81% of London commuters polled gave out their birthdays, pet names and
other personal data, possible clues for cracking into their e-mail
accounts. The pollsters were hired by the organizers of the
Infosecurity Europe conference.
Before the same conference two years ago RSA Security performed a
similar stunt and found that 79% of people gave out this kind of
personal information--free. That prompted a press release: "Internet
identity theft threatens to be the next crime wave to hit Britain."
In the U.S., RSA, which sells electronic tokens that generate
randomized passwords, hired a perky team in "I Love NY" T shirts to
scour Central Park and sweet-talk tourists into giving out their
mothers' maiden names; 70% did. Newscasts in San Francisco, Miami and
Boston ran the story. Christopher Young, an RSA vice president,
bristles at any suggestion that the surveys were aimed at stoking
sales. "It's hardly that direct." The surveys, he says, are used only
to "raise awareness."
Some 70% of security breaches are caused by human error, says a March
2006 survey by the Computing Technology Industry Association. Brian
Boetig, a supervisory special agent with the FBI's computer crime unit
in San Jose, Calif., describes the typical breach: "When you fire an
employee and don't change their password, they can get into the system
and get information to a competitor." No technical solution there.
Says Boetig: "There are people creating problems so they can fix them.
But that's marketing for you."
=A9 Forbes.com Inc. - All Rights Reserved
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.