If network intrusion vulnerabilities and operating system viruses aren't enough to keep IT managers on their toes, the next generation of security threats will target the millions of applications that are not secured, according to Cisco's chief security officer John Stewart.
He said the company is concentrating on network and applications security, because this is where threats are emerging, adding that 75 percent of attacks have been directed at applications this year alone.
"The application security problem is now and will stay for a long time," Stewart said, adding that money needs to be spent on securing applications as organizations have hundreds, but only a limited number of operating systems in use.
While Stewart believes the operating system vendors are getting better at securing their software, he lashed out at the antivirus industry, saying vendors are too reactive when it comes to dealing with threats.
"I am paying a vendor money to tell me if I have a new signature," he said. "That's like saying do you have a cold, give it to me and then the cure and I'll pay you $20 bucks."
According to the 2005 Computer Crime Survey, viruses have caused $43 billion in damages.
"That's money that could have been better spent if viruses weren't around," Stewart said.
Virus havoc can be alleviated by investing in technology that allows organizations to be proactive, according to Stewart, as patching and signatures "won't sustain us from the problems of today", and behavioural methods will become more involved whereby the right information will be accessible by "the right person at the right time".
"The amount of dollars spent on reactive measures is increasing [and] we're spending more then we could possibly lose," he said. "The dollars don't lie."
During his keynote address at this year's Networkers conference on the Gold Coast, Stewart described three types of companies on the antivirus radar - those that have been broken into, will be broken into, or will be broken into again.
"When you say you are gong to invest in defeating attacks that's when you become a target," he said, adding security is too frequently "penalty based".
Stewart recommends organizations have a goal to ensure employees understand that security is the responsibility of everyone and technology will not solve these problems.
"Security culture can exist, but not if the security team are the only ones doing it," he said.
Stewart also stressed the importance of employee accountability, citing one example where an employee was fired for downloading movies after a warning that it was against the company's security policy to do so.
"Every once in a while, public execution helps," he said.