Be prepared to pay for security

In an ideal world, Microsoft would make secure software, users would apply patches, and virus writers wouldn't write viruses. But this is not an ideal world, so there is only one option

When one million of your customers have their IP addresses added to a spam blacklist, there is clearly something wrong with your security systems. Just ask Telewest, this is exactly what it experienced in May after 17,000 of its users saw their computers turn into spam bots.

Whose fault was this? The users, for failing to update their security software; the ISP for failing to take responsibility for PCs connected to its network; the spammers and virus writers, for exploiting insecure PCs; or Microsoft (and all these PCs will be running Microsoft software), for producing insecure software in the first place? Obviously, all of them.

But while culpability is widespread, the ability to improve the situation is not. Expecting users to install a secure operating system is as unrealistic as expecting Microsoft to produce one, or expecting virus writers and spammers to realise the errors of their ways and take up employment in a soup kitchen.

The one point in the chain that can realistically be expected to make a difference is the ISP, as we have pointed out before. There is a growing groundswell of opinion that ISPs must take more responsibility for the viruses, worms, Trojans and other malware that travel over their networks.

Perhaps it is recognition of this groundswell that prompted Telewest this week to announce that it is to provide firewall, antivirus and automatic update software to its users. We'll have to see how well it works, but if so many businesses are still having difficulty applying patches and virus updates, what chance consumers? A fully managed service seems the best way forward.

Nobody expects free security, and if ISPs need to charge for doing this, then users — that is anyone with an Internet connection — should be prepared to shoulder the cost. Broadband prices are now so cheap as to be negligible, and the ever-falling cost of PCs, notebooks and other devices that connect to the Internet means that any extra cost for security is easily absorbed.

It's not so much a question of can we afford managed security services for ISP customers, as can we afford not to have them?