This week sees the 25th Virus Bulletin conference, which takes place in Prague from 30 September to 2 October. We spoke to Virus Bulletin’s editor, Martijn Grooten, about how threats have changed over the last 25 years.

My colleagues and I have been very busy preparing for this week’s 25th annual Virus Bulletin International Conference, but on the occasion of this anniversary I wanted to take a little bit of time to reflect on how much has changed in the last quarter of a century.

Looking back at the presentations delivered at the early Virus Bulletin conferences in the 1990s, it’s shocking to see how easy it was back then for computer viruses and worms to spread to millions of computers.

And yet, we were fortunate that attackers really only wrote their viruses for vanity, and seemingly had no intention of making money from infecting computers.

As readers of this site surely know, today’s attackers have become much more professional: whether they’re in it for money or for political reasons, they are often part of organisations with ample resources for both large-scale and more targeted attacks.

Thankfully, security has steadily improved over the past 25 years as well, and today’s attackers have to work a lot harder.

We’re fighting back with new, secure-by-design mitigation techniques like ASLR (which makes buffer overflow attacks much harder to pull off), and security products that go beyond signatures for better detection of suspicious files and behaviours.

One thing hasn’t changed: users continue to cause problems for themselves and their organisations by doing things they shouldn’t do.

Security experts tend to get very excited – or, depending on the person, very worried – about vulnerabilities that can be exploited without any user interaction. And it’s true, such vulnerabilities are pretty scary.

But whether they’re a small-time cybercrook or a nation state-sponsored APT gang, attackers find that it’s much easier to exploit one impossible-to-patch vulnerability: the human.

One of the most costly cyberattacks to date, the $66 million attack on security vendor RSA, started when a curious employee looked at an email that was boobytrapped with malware.

Many other large-profile attacks succeeded because an employee did something even my late grandfather knew not to do: open an unsolicited email attachment.

We shouldn’t be smug. Many people who should know better make very basic mistakes.

When he was on the run from Belize police, antivirus pioneer John McAfee had his location tracked through EXIF data.

Security guru Bruce Schneier is an encryption advocate and expert, but he tells a story of a time he was so busy encrypting documents on his laptop, to keep them from the prying eyes of airport security, that he forgot to delete the unencrypted originals.

What can we do better in the future?

We should, of course, continue to increase our efforts to write secure code. At least in theory, it’s possible for all code to be properly secure. (In practice, it’s good to keep in mind that code is written by humans; Heartbleed, one of the most serious vulnerabilities of recent years, was a human error.)

And we should mitigate the harm that can be done by those sitting between chair and keyboard with education and clear warnings.

Ultimately, neither security software nor training alone can protect unpatched systems and unwary users from today’s sophisticated and opportunistic threats, which is why a coordinated defence is essential.

I can’t see into the future to know what tomorrow’s threats will look like.

But I have little doubt that in 2040, there will be a 50th Virus Bulletin conference somewhere in the world – when experts will grapple with problems we can’t foresee, in devices and services we can’t imagine.

And people will probably still bemoan users and their insistence on doing things they shouldn’t do.

Follow @SophosLabs

Follow @NakedSecurity

Image of circuit board clock courtesy of Shutterstock.com.