Sometimes, organizations just don’t get it. The latest edition of organizational tin-ear who-cares-about-customers comes to us from Adobe, the maker of innovate software packages that include Acrobat, Creative Suite 5, Flash and Photoshop among many others.

In addition to its innovative software, Adobe has always advertised adding bloatware downloads for its free “reader” downloads, most notably the Google toolbar. For the longest time, most people simply un-checked the Add Google Toolbox bar and went about their business. And, most of these people are its existing and prospective customers.

But, in September 2009, Adobe started offering an optional checkbox for a download of a “free” security scan from McAfee as part of the free downloads for its Flash Player. The practice expanded to include the McAfee security scanner with downloads of Adobe’s free Acrobat reader in 2010.

Harmless enough, right? Wrong!
Despite un-checking the box for the McAfee security scanner, the scanner is installed without your permission and the next time the Adobe product is used, up pops the executable for the scanner to “assess” your computer. No doubt the scanner will find something in its scan of your computer and redirect you to a page at McAfee where you can purchase something that will take care of the discovered problem, even if you take great-pains to keep a squeaky-clean PC.

McAfee scanner = blue screen of death
However, before the McAfee security scanner can pop-up, be prepared for the blue-screen-death on the machines the scanner was installed on and some tender coaxing using known previous good configurations to restart the machines the beast was installed on. This occurred most recently to me on three PCs after trying to update Adobe reader – supposedly without the McAffee security scanner being downloaded. Despite my expressely un-checking the box for the scanner, the scanner was installed on these systems without my permission and all three had to be recovered. Not good business practices, and not a good track-record Adobe! Bordering on deceptive and liable? I’ll leave this question to lawyers.

Think I’m alone?
No, I’m just one of the many people that are being afflicted by this latest case of bad business practices and whichever set of people at Adobe are not listening with their tin-ears about the reaction customers have for the latest business practices of this dynamic-duo.

See the following buzz:

McAfee Security Scan Plus – Advice That You May Not Want, January 2010

http://techie-buzz.com/softwares/mcafee-security-scan-plus.html

Adobe and McAfee are installing malware: June 2010

http://docrampage.blogspot.com/2010/06/adobe-and-mcafee-are-installing-malware.html

Adobe support forum: from 2010

http://forums.adobe.com/thread/722513?tstart=0

McAfee + adobe + flash installer = No!, February 2011
At Andy Sciro’s blog: http://andysciro.com/2011/02/22/mcaffee-adobe-flash-installer-no/

More
Google “blog adobe mcafee” and you’ll find a lot more than these few examples. Weed through a few of these and you’ll find some fairly upset people, many wondering how and why Adobe could allow this nonsense to continue, and pleading with Adobe to put a stop to the practice of downloading the McAfee security scanner.

What will you do?
Consider yourself warned if this has not already occurred to you and consider sending an email to your employees about what will and will not be supported if PCs suddenly start coming-up with blue-screens.

Of the two, Adobe always had the better brand for its business practices and its treatment of customers. But its association and willingness to ignore the pleas of customers to stop the practice have fallen on tin-ears.

Adobe, your customers have been telling you for more than a year to stop this business practice and you’ve ignored them. Continuing to ignore your customers will come at much higher expense to find new customers. And, the longer the business arrangement occurs, and with the impact that it is having on users and organizations, the more likely that customers and prospective customers will simply walk-away from both organizations – to the detriment of the shareholders of Adobe and now Intel.

The age of Cyber war is upon us — and you better get ready for it.

If you don’t believe it, here’s a list of sources covering just a few of the events in the past year.

Attacks on South Korea
Involving attacks on business and government websites in March 2011 the latest attacks occurred in the past twenty-four hours when dozens of South Korean websites came under attack. See the following for more information:

Business Week

http://www.businessweek.com/ap/financialnews/D9LO5ACO1.htm

CNN

http://edition.cnn.com/2011/WORLD/asiapcf/03/04/south.korea.cyber.attack

Stuxnet attacks: 2010
If you somehow missed Stuxnet, check out the following:

Wikipedia

http://en.wikipedia.org/wiki/Stuxnet

Turkish press

http://www.turkishpress.com/news.asp?id=358414

New York Times

http://www.nytimes.com/2011/02/13/science/13stuxnet.html?src=twrhp

Google attacks: 2010
If you also missed the attacks on Google and dozens of other commercial and government agencies, check out the following:

Guardian

http://www.guardian.co.uk/technology/2010/jan/14/google-attacks-traced-china-verisign

Is this more “sky-is-falling” language

BBC

http://www.bbc.co.uk/news/technology-12473809

Or is there more to this than semantecs?

New York Times Topic feature articles

http://topics.nytimes.com/topics/features/timestopics/series/cyberwar/index.html

What does it mean for you?

1. The Stuxnet attacks are the dangerous demonstration of cyber warfare — to date

2. More events are likely to occur in the future

3. You better get ready

What else does it mean?

For the most at risk
For 2-in-10 organizations that decided to significantly reduce spending on staffing and tools for information security during 2009 and 2010 in response to slowdowns in receipts, it means ramping-up spending for information security to just catch-up to peers. Budgets for information security staffing and tools among these organizations are going to have to triple or quadruple to simply catch-up.

For most of us
For 7-in-10 of us, it means re-thinking the priorities for business risks for a new normal involving government sponsored cyber attacks, NGO attacks, culture-warfare attacks, political and economic attacks, rogue and criminal gang attacks, and how we’re going to detect, defend against, respond to, implement contingency and recovery procedures, and add additional layers of defense than are currently being managed. It also means having simple yet accurate management displays to prioritize responses. Current budgets for information security are going to have to double to achieve parity with the best-in-class organizations.

For the best-in-class
For the 1-in-10 already operating at best-in-class levels, it means re-thinking and re-evaluating current strategy, risk controls, and responses. And, it also means slight increases and reallocations to deal with the new threats.

How do you know where you are, and what you’ll have to do?

Find out where you are — today
The Assessments@ITPolicyCompliance deliver a confidential and quick two-minute way to assess the posture of your organization against your industry and peers.

Benchmarked against more than 4,000 other organizations, these quick two-minute assessments cover organizational structure and strategy, the use of frameworks and standards, management of policy, management of procedural controls, management of information controls, management of technical controls, vulnerability and threat management, risk management and reporting, and financial implications.

Who should be interested: CIOs, CISO, CAOs, CROs, and principal managers of IT and audit

Time to value: minutes

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Additional resources

How the Masters of IT Deliver More Value and Less Risk

http://www.itpolicycompliance.com/research_reports/latest_report/read.asp?ID=20

What Color Is Your Information Risk – Today?

http://www.itpolicycompliance.com/research_reports/latest_report/read.asp?ID=19

The traditional management disciplines involve the use of directing, organizing, planning, staffing and controls to manage outcomes for organizations.

Of these, the most important is directing: it is through the tone and direction established and reinforced daily by senior managers that organizations become either industry leaders or laggards. The same disciplines are as important to managing IT as they are to managing the organization.

Beyond the five management disciplines are some telltale characteristics of how well — or poorly — organizations are doing in managing the IT portfolio to support peer-beating growth results, including revenue and profit; while avoiding industrial espionage, the loss of intellectual-property, the theft of customer data, and headline-grabbing events that result in damage to reputations and brands.

Take the IT Rorschach Test

Which of the following are true at your organization?

• The business value of IT is visible to senior management

• Business risks from the use of IT are visible to senior management

• The business value of IT assets are prioritized

• Unacceptable business risks related to the use of IT are documented

• Acceptable risks and control exceptions for IT are documented

• Business risks for IT assets are prioritized

• IT controls for legal and regulatory compliance are prioritized

Add up the number of times you said yes to each of the seven questions, then find out what the results mean.

1 to 2 “Yes”: Least value delivered and highest risk

3 to 6 “Yes”: Middle of the pack for value delivered and risk

6 to 7 “Yes”: Most value delivered and least risk

This simple IT Rorschach Test is based on research conducted with more than 1,600 other organizations. More compelling are the two-minute self-assessments that enable comparison with your industry, peers and those that are answering “7’s” to the IT Rorschach Test.

Assess Yourself against Your Peers and the Best Performers — Today
The Assessments@ITPolicyCompliance deliver a confidential and quick two-minute way to assess the posture of your organization against your industry and peers.

Benchmarked against more than 4,000 other organizations, these quick two-minute assessments cover organizational structure and strategy, the use of frameworks and standards, management of policy, management of procedural controls, management of information controls, management of technical controls, vulnerability and threat management, risk management and reporting, and financial implications.

Who should be interested: CIOs, CISO, CAOs, CROs, and principal managers of IT and audit

Time to value: minutes

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Additional resources

How the Masters of IT Deliver More Value and Less Risk

http://www.itpolicycompliance.com/research_reports/latest_report/read.asp?ID=20

What Color Is Your Information Risk – Today?

http://www.itpolicycompliance.com/research_reports/latest_report/read.asp?ID=19