Users who ignore or forget their security lessons, together with increasingly sophisticated hackers, are putting CIOs on the back foot when it comes to cyber-security.
That's the conclusion of a survey of 400 CIOs by Vanson Bourne on behalf of Bromium.
The industry is losing the battle against cyber-criminals, according to 60 percent of the respondents. End users get most of the blame, with 85 percent of CIOs saying humans are the weakest link because they either ignore or forget training courses and corporate policies and procedures.
This is exacerbated by the hackers who, in the view of 68 percent of respondents, are becoming ever more sophisticated.
Commenting on the findings, Bromium co-founder and president Ian Pratt said he was surprised it was only 60 percent – “Are the rest delusional?”.
Pratt, whose company has pioneered a micro-virtualisation approach to combatting malware, said CIOs were right to be concerned because the traditional method of detecting malware has failed.
He has compared the current state of cyber-security to sending CISOs to a knife fight armed with a spoon.
“The way everything in the industry works has been some kind of detection. It could be hashes, signatures or behavioural – but you have to have some model of what is bad to be able to look for it and block it,” he said. “That whole model is doomed because we have known since the work of Alan Turing in 1937 that it is a mathematically impossible problem. The best we can do is come up with a set of heuristics and that's why we are in the arms race that we are in today.”
Artificial intelligence isn't solving the problem, either, he said, because with a few simple tweaks to the malware code, the behaviour can be changed enough that the best AI product on the market would give it a clean bill of health.
Bromium says it has created software that “isolates an entire task within a micro virtual machine using Intel VT to hardware isolate the execution of the task”. In this architecture, every instance of a task within an application is isolated in its own VM, eg every tab in a browser and every document in a word processor.
Information can only be shared between the processes with the explicit permission of the user.
Pratt said that even Microsoft has admitted it can't defend Windows using the current security model. It is also developing micro-virtualisation, with the promised release this year of Windows Defender Application Guard for the Edge browser which will open untrusted sites in a new instance of Windows at the hardware layer.