Craig Elliott, chief executive officer of Pertino, a cloud-networking startup, knows that the antivirus software his company uses won’t deter all hacking attacks. That won’t stop him from using it. “It’s a safety blanket,” he says. “It’s CYA [cover your ass] more than anything else.” That’s why the antivirus industry, born in the late 1980s to combat floppy-disk viruses, has staying power, even in this era of sophisticated hacks from China and elsewhere.
Although the word virus generally applies to all manner of computer attacks, data security pros no longer just worry about old-style viruses—programs or pieces of code that replicate and spread from computer to computer, degrading their performance. The new threat: advanced forms of malicious software, or malware, such as online banking password-stealers and military-grade spying software.
Recent incidents like the attack on the New York Times by Chinese hackers, which antivirus software failed to stop, illustrate the challenge facing industry leaders such as Symantec and McAfee. A weakness of antivirus software is that it’s designed to zero in on so-called signatures, or identifiable patterns in code. When an antivirus company finds a piece of malicious software, it adds a signature to its database, which is included in software upgrades sent to users.
The approach was effective until more sophisticated malware arrived on the scene in the early 2000s. Now identifying a piece of attack software after the fact has limited value because the most advanced malware is custom-built for specific attacks—and never used again. Today’s hackers also prefer to infiltrate networks via e-mail and social media, making attacks harder to detect. The Times attack is thought to have begun with infected e-mails sent to employees.
After the Times disclosed that Symantec software failed to identify the malware used in the breach, the Mountain View (Calif.)-based company issued a statement saying that antivirus protection alone is not enough to thwart advanced attacks. Symantec (SYMC) and Santa Clara (Calif.)-based McAfee are upgrading their security software to keep pace with hackers, such as adding blocking features that crunch traffic data to determine whether an unknown e-mail attachment or website is trustworthy.
“The industry will likely change pretty dramatically,” says Francis deSouza, Symantec’s president of products and services. “We’re seeing more malware than we’ve ever seen before, and we’re seeing more custom malware than we’ve ever seen before. Those trends have profound implications for the antivirus industry.” Michael Fey, chief technology officer for McAfee, which is owned by Intel (INTC), says “one product is not a silver bullet.”
Despite this, companies aren’t likely to dump their antivirus software. Even if they wanted to because of cost or performance concerns, many simply can’t, says Amrit Williams, chief technology officer of Lancope, a company which sells software that scans computer networks for malware. Retailers that accept credit cards, for instance, must comply with the Payment Card Industry (PCI) data-security standard, which mandates antivirus protection. Corporate security chiefs in industries that don’t require antivirus software can choose to buy it—or risk their jobs if they go without it and get attacked, Williams says. Consumer and corporate purchases of software to combat online threats will account for $8 billion of the $66 billion in worldwide spending on computer-security technology this year, according to Gartner (IT).
Another reason demand for antivirus companies’ products is likely to remain high is that there’s still a threat from less sophisticated attacks, says Steven Ashley, an analyst with financial services firm Robert W. Baird in Milwaukee. The New York Times is still a Symantec customer, though it is “exploring other options,” says spokeswoman Eileen Murphy.
“Antivirus is an important element that will always be there,” says Ashley. “Even if someone broke into a guarded office or facility, you won’t take down the fence around it.” At least one company, though, has done just that. Palo Alto Networks (PANW), a maker of network-security equipment, has no official policy on antivirus software, says co-founder Nir Zuk. Its 840 employees are not required to have antivirus software on their machines, and the company uses its own network-security products to defend against attacks. Most infections occur in the first 48 hours after a new piece of malware is released—before antivirus companies can get a fix out to customers, Zuk says, citing his company’s research.
“I think there’s value in AV—most CTOs won’t get rid of it,” he says. “It’s just that I think the cost of it, and the fact it only works on some machines, and the fact that it’s not detecting targeted or new attacks, makes me want to invest my money in other solutions.”
The bottom line: Companies are spending billions on antivirus software even though it’s becoming less effective at stopping hacking attacks.