Be secure: 'Plan, don't patch', says AV pioneer

Companies are putting too much faith in patching software and investing too little time in proper risk assessment, according to a pioneer of antivirus software.

Dr Peter Tippett told silicon.com the current approach to security has become outdated, counterproductive and too costly. He also controversially suggested companies only patch their computers once per year.

Tippett's words echo the growing voice of support for a move towards a risk-based approach to security.

As such Tippett, CTO of security giant CyberTrust, now dedicates much of his time to monitoring "the underground" and working out the likelihood of malicious code being written to exploit emerging and existing technologies and "knowing exactly what the real problems are".

Tippett likened the necessary intelligence-gathering and risk assessment to the very British obsession with checking the weather forecast.

"Predicting the weather is not a perfect science but it can help a lot," said Tippett, who advises companies to spend more time assessing risk and the probability of attack rather than waiting for the window of vulnerability to open and then rushing to batten down the hatches.

"Companies who decide that patching is going to be their primary method of defence are always going to be worse off than average and are going to spend more and more money on security each year. If you can patch 100 per cent you will be protected against a lot of threats but nobody does or can patch 100 per cent," said Tippett. "The average is around 70 per cent."

"Patching works well if you have one computer. It even works well if you have three computers but if you have 10,000 then forget about it.

"There are all kinds of computers which are not known about by the management. There are mobile workers and protected computers which are never touched except during a service window."

"It would therefore be a mistake to put any faith in patching," said Tippett. "I'd say patch your computers once per year. Plan it three or six months in advance and you'll at least be able to get hold of all laptops and computers."

"Get it done properly and get all your computers to a situation where software is within a year old."

Companies who have already distanced themselves from the reactive, fire-fighting approach to security are claiming significant savings - such as a halving of the IT budget at insurance giant Zurich, as covered recently by silicon.com.

According to Tippett: "These companies spend less money on scanning and less money on paying people to run around patching like crazy."

Tippett agreed with the recent assertion of Gartner analyst and advocate of a risk-based perspective, Jay Heiser, who said such an approach will come from the business and not from the techies.

"Technical people see things in a binary way. They adopt a 'world is flat' approach. The higher up the organisation you go, the more this starts making sense."