Free Security?

If you are 17 and want to guarantee yourself a dateless Friday night, my advice is to take up the oboe. When the cute new transfer student in my geography class found out my after-school activities involved Brahms and Telemann, the door to possible romance closed tighter than a hatch on a submarine. As word spread through school that my extracurricular performances required a white shirt and tails rather than a numbered jersey, I became black and blue from being touched with ten-foot poles. What was a lonely boy to do?

My father played three-chord hillbilly guitar for most of his life. I told him I enjoyed the orchestra, but all the hot chicks really dug guitar players — although not necessarily Gene Autry or Hank Williams. He took pity on me and dragged home a cheesy Teisco Del Ray electric with a nail behind the twelfth fret and a battered 1963 Fender Concert 60-watt tube amplifier. He taught me those three chords, and I would turn up that amp so loud that my bell bottoms flapped at the ankle. Surely this would improve my opportunities with the girl in Geography class.

I joined up with some guys from the school jazz ensemble to form a band, and we played what passed for rock music in that small Midwestern town. Translation: we sucked. Badly. In order to secure audiences in the dusty, fly-blown truck stops and roadside watering holes, we decided on a cunning plan: we named our band “Free Beer.” We planned to see our name in lights on the mobile marquee: One Night Only! Free Beer!

I suppose it was simply too good an idea, perhaps far ahead of its time. After several heated discussions with possible employers for our troupe, we were turned away even before the audition. The discussions always involved the concept of false advertising.
I guess I should have gone into marketing. “Free” has become a staple of modern corporate pitches. I was excited when I recently learned I could get free carpeted floor mats and an upgraded stereo system for my car — but I need to purchase a new Mercedes Benz this month only. The local public television station wants to give me a free tote bag and DVD of The Best of Wayne Newton — if I donate $150 during today’s telethon. A national home protection company will install a free security system in my home — however, I must commit to two years of monitoring at a “special” price. A nice barrister in Nigeria is willing to cut me in on 30 percent of his deceased client’s portfolio of $18 million Euros — providing I immediately send him my personal banking information so he may transfer the funds to me for “investment purposes.”

Most of us have figured out that free is never really free, and deals too good to pass up should really be passed up. As we gain experience, we learn to look for the caveats, as well as the ifs, ands or buts of the deal. None of us works for free, so why would anyone else be willing to do the same? People (and companies) don’t survive giving away valuable services or commodities. They may give you something for free and roll that expense into a larger deal, or they may use the freebie as a loss-leader to hook you in to profit-making sales. In any case, free is rarely free.

Why wouldn’t the same be true for security? Recently, Microsoft announced it was providing free security technology to its customers. This comes on the heels of an announcement they made almost three years ago claiming they would offer free anti-virus capabilities. Several well-known security technology companies watched their stocks plummet in the days following. The logic was pretty simple. Why would anyone pay for security products if Bill Gates was going to obligingly provide them for free?

Personally, I would worry about all these deals that seem too good to pass up. What’s the caveat? Where’s the fine print? Microsoft operating systems and applications have been riddled with technical vulnerabilities since they began selling software. Now they claim they will mitigate these risks for free. How much technical effort will they invest in a product that provides them with zero marginal revenue?

Recently, a good friend called to tell me a large government agency made a decision to go with a tiny technology start-up to obtain their critical anti-virus and anti-spyware capabilities. The reason? The little company was desperate for a marquee client, and offered the deal to all the agency’s IT users for pennies a seat. Apparently, the government buying agents felt they couldn’t justify paying out the taxpayers’ money at the higher prices proposed by the established technology leaders when this tiny company would offer them something called anti-virus for a fraction of the others.

How would you like to be the security guru for that agency when they are slammed by a wide-scale malicious software attack? Would you like to be the one saying, “Well, Madam Secretary, at least the security tools bought were the cheapest available!” Personally, I prefer to look for the fine print when I see the word free or something that simply looks too good to be true.

John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at: