While activities like updating antivirus definitions and running software patches are important to the overall security of an enterprise, TruSecure feels that the focus should be on risk management.
According to Peter Tippett, vice chairman and chief technology officer of TruSecure, the whole world is thinking about security wrongly.
"They are focusing on vulnerabilities," he said. "Microsoft put out 76 patches last year and it requires tremendous energy and resources to put them all in."
However, he also notes that less than 2 percent of vulnerabilities are attacked, "so that is not an efficient use of resources."
"There is a need to focus on risk -- the 1 percent which really matters," he said.
The company has a list of essential practices which takes only two to three person-weeks to implement for thousands of employees. It includes things like ensuring that proxy servers and mail filters are properly configured which can reduced the threat of security by 20 times.
"Compare that with increasing antivirus updates from once a week to once a day which only improves security performance by about 1 percent," said Tippett.
Focusing on such traditional activities, he says, is an exercise in futility.
TruSecure statistics show that the world is getting worse in security every year. The cost of hacking and malicious code attacks have increased by 100 percent per year over the last 7 years in terms of cost and frequency. In addition, companies are spending 15 to 30 percent more on security each year.
"So, although spending has increased, the situation is getting worse," said Tippett. "That is a problem."
Risk management TruSecure has a program which helps customers reduce the chance of security breaches by focusing on risk management. It spends US$4 million a year to study risk worldwide. The research includes a host of activities including frequency of threats and vulnerabilities, what each threat costs in monetary terms, what kinds of companies are most at risk for which types of attacks, hacker groups and their activities, and so on. These are then converted into actionable items for users.
"Our main service is to tell companies what they need to do in simple steps," said Pierre Noel, chief executive officer, TruSecure Asia Pacific. Instead of selling products, "we put together a list of essential things to do using the people and products they already have."
In essence, there are no special skills or products needed.
So confident is TruSecure in its approach to security that it promises money back if there is a breach after the company has been certified secure.
In addition, the company is also working on predictive alerts which anticipate security threats. For example, it predicted the Nimda virus last year six months before it happened, and listed the appropriate steps to take to prevent infection.
This year, the company predicts another Nimda-like attack that will hit the world in about six months time.
"It will be at least as fast and pervasive as Nimda and will affect Microsoft's Internet Explorer and Internet Information Server," said Tippett. "Microsoft has released the latest patches which will stop the threat, so if you just want to patch, now is the time to do so."
So promising is TruSecure's approach to ensuring computer security that 1-Net Singapore expects to be working with the company soon, according to Chua Kee Huat, director, sales and marketing, 1-Net Singapore.
"They are vendor neutral and have a strong certification service of data centers," he said. "They have good penetration tests and skilled personnel, an arena which we are not going to play in."