Security Adviser: Unauthorized apps are still bad

As expected, I caught a lot of flak for last week's column suggesting that one of the better, real security solutions an administrator could implement is to prevent unauthorized programs from executing on business-owned computers.

I have to say I was surprised to get several letters completely agreeing with me -- mostly from security administrators who have already implemented my suggested policy. They recounted what their environments were like before preventing unauthorized software and afterwards, none would change back. Several C-level administrators wrote me to say that employees trying to circumvent their company-mandated images would be fired for the first offense.

More common, unfortunately, were the e-mails admonishing that I would stifle employee creativity and doom the company to catastrophic failure. One reader spelled it out like this: "The problem is that you are trying to make your job easy. Your prescription gets that done. No question. But at what cost to the organization? In the end organizations exist to make profits (private sector) and add value for their customers (all sectors). Not to be secure. Security is part of the picture but only a supporting part. Your suggestions amount to 'everything not explicitly permitted is denied.' Organizations and societies that operate like this wind up static, stagnant, and wither away."

I like this reader's e-mail in particular because it captures the fears accurately. Similarly, several educational institutions wrote to tell me that I would be killing "academic freedom" by preventing unsanctioned programs.

I appreciate these readers' comments, but I don't buy their arguments. Underlying my recommendation is the most significant change that has occurred to computer security in recent years. Nearly 99 percent of all malware exists to steal victim information. Let that sink in a moment. We now call it crimeware, and nearly 99 percent of all organizations aren't doing enough to prevent it.

The risk is high, and most entities are still treating the threat as if the world of malicious hacking is still full of teenagers sending greetz out to their peers or trying to flood e-mail systems with identical e-mail copies. It's a different threat model now, and yesterday's defenses didn't work yesterday, much less today.