Several years ago I took some flak for suggesting during an interview with the IT press that Apple’s Mac OS was not subject to the virus and malware onslaught that’s plagued Windows due primarily to a simple function of market share. At the time, Windows XP was the dominant operating system on the world’s computers, and if your goal was to co-opt computers, steal information, or cause general mayhem, you’ll obviously target the most prevalent target. Call it the Willie Sutton rule if you will; the famous bank robber, when asked why he robbed banks, responded “Because that’s there the money is.”
Apple smugly marketed this dearth of malware as a sign that Mac OS was somehow superior, when much of the discrepancy was due simply to market share. The bad guys followed the Sutton rule and went “where the money is.” Along with increasing sales of Mac OS, we’re now seeing Mac OS subject to viruses and malware, recently with a “botnet” (a group of computers that have been co-opted by a nefarious entity) that contained nearly a million Mac computers.
Any mainstream computing product, from phones to enterprise software, will be subject to security attacks when it either reaches critical mass in the market, OR is run predominantly by companies with valuable information that’s worth stealing. The old quip about “security through obscurity” rapidly dissolves if you have something worth stealing behind that veil of obscurity, as recent bank, government, and software company hack attacks have demonstrated.
This commentary isn’t meant to incite fear and loathing, but rather to suggest a rational approach to risk based on what valuables your computing infrastructure holds. Just as you need not install Fort Knox-level security at the local convenience store, you need not go overboard on IT security. Conversely, you likely wouldn’t leave the door to your home wide open, nor should you dismiss IT security outright by assuming your company is too small, or your products too “magical” or obscure. In short, there’s a logical balance that should be driven by an assessment of risk, and the market share of the computing tools you use, not marketing copy or misguided notions of obscurity.