Anti-virus won’t keep your data safe

Two of the key rules of Information Security are to understand what you are protecting and to understand what you are protecting it against. These rules are easily forgotten when designing and implementing a new security system – it easy to find oneself purchasing and installing commonly used products, without stopping to consider what threat that product will protect against. Most IT workers, for example, will insist on installing an up-to-date anti-virus product on all their machines, but many don’t stop consider why they are doing it. Anti-virus is almost a reflex response to a requirement for security.

All information security processes should exist to satisfy one of three requirements – Confidentiality, Integrity or Accessibility – often known as the CIA triad. That is, your security sytems should exist to protect your data from prying eyes (confidentiality), to protect it from being changed without authorisation (integrity) or to protect it from down-time (accessibility).

Security professionals are often guilty of overlooking integrity and accessibility and think of information security purely in terms of keeping their data safe from prying eyes. They also make the assumption that the products they use to secure their system will all help with confidentiality. Anti-virus products, though, exist to detect and remove large scale virus infections, very few of which ever steal or change corporate data. Instead, viruses usually cause disruption, make use of computer or network resourses (in DDoS attacks, for sending SPAM, for scanning networks etc), or in some cases target the financial data of home users (credit card details, BitCoins etc).

If a virus were to find its way onto a corporate network, it is unlikely that confidentiality would be breached. It is more likely that large scale disruption would occur, and that an expensive cleanup operation would be required, consuming both man-power and money and requiring system downtime. Viruses then, are more likely to affect the accessibility of a system than it’s confidentiality or integrity. Of course, it is possible that your system could be subject to a sophisticated attack, perhaps by a competitor, with the aim of stealing confidential corporate data. It us unlikely, though, that your anti-virus system would spot it.

(Edit: this article about a hospital in Georgia illustrates the disruptive effect that a malware strike can have).

Accessibility is an important requirement under the CIA triad, and it is certainly worth having a corporate anti-virus solution in place to mitigate the risk of a large scale infection. It is important though, when planning your security architecture, to understand that the money you invest in your anti-virus solution is invested to keep your system online, and not to protect your data from theft. It is equally important that you ensure you have other mitigations in place to protect your data from competitors. Relying on anti-virus alone to mitigate data theft will not prove to be a successful strategy.