Around 100,000 organisations were recently disrupted by the arrival of Slammer, a particularly malicious computer programme...

Around 100,000 organisations were recently disrupted by the arrival of Slammer, a particularly malicious computer programme that brought 10 minutes of global havoc. It is just one example of the problems that computers are bringing to businesses, says John O'Neil

Slammer did not arrive as an infected e-mail attachment, or as a programme downloaded inadvertently from a dodgy website. It simply arrived. Even organisations with firewall protection were penetrated, which serves as a warning to all. We may need reassurances from our IT departments that our businesses are not exposed in this way.

IT security is a serious issue that all concerned with corporate risk must consider. As businesses realign themselves to compete in a changing world, IT security is often low on the agenda, despite the known consequences of security breaches.

The internet has opened up new possibilities and ways of working for many organisations, and has facilitated new relationships. It has also led to a migration of corporate risk from the physical to the intangible. Increasing proportions of corporate capital are intangible, with the value often held in databases. Data is valuable and it deserves protection.

Where do you start when evaluating IT security strategy? Finding a copy of the corporate IT security protocols would be a good place. Who has this document? Is it up to date? Does it embrace the principles of BS7799? Does it even exist? The questions are easy to ask, but the answers are often less obvious. Risk managers need to work closely with their IT departments to find solutions.

Security policy should be documented in a way that non-technical people can understand, and people should abide by the rules, or face up to the consequences. For example, there was one case involving a company with a satellite office overseas, which had an insecure telecom line connected to its network. The satellite office refused at first to disconnect the line, but when head office disconnected the satellite office from the rest of the company, compliance with group rules soon followed.

Ultimate responsibility for risk management, including all forms of security, rests with boards of directors. Directors' responsibilities are now codified, so there should be little doubt about the potential consequences for directors and other company officers should they fail to take appropriate steps to protect corporate assets. However, various surveys suggest that not every company director is fully aware of this. In extreme cases we could see company directors serving prison sentences, for example if child pornography was found stored on a corporate server as a result of lax security.

Corporate networks are clearly at risk, but the network does not always end at the office boundaries. Home working is becoming more prevalent, with users accessing the corporate computer network from remote locations. However, unless each PC is carefully controlled, viruses could be introduced to the corporate network – just as if each PC was sitting in the office. It is often difficult to control who uses these PCs and what they are used for. They could become virus-infected or run a spyware application (a hidden program running without corporate consent) that sucks data from the corporate network and sends it over the internet to an undisclosed third party. Spyware can also make the PC run slower and tie up expensive telecom links. With portable machines there is the added burden of physical security – notebook PCs are easily stolen.

Many networks now extend into customers' premises, with IT departments often left to make the arrangements. They put their trust in the approach to security taken by their counterparts in the other company, but the trust is not always justified. What if one of the connected businesses has a weak approach to firewall deployment? If one company's system becomes virus-infected, the other's is immediately exposed. The risks are clear.

It could all become very embarrassing. I know of a company that was required to post data onto a web site hosted by a third party. The company and its client had shared access to the site. While connected to the internet, a hacker targeted the company's PC and installed a pornographic application. The company could never be sure whether it had inadvertently passed on this particular application to some of its trading partners. An investigation revealed the problem to be a firewall issue.

Secure strategies
There are ways to protect against intrusion. Firewalls and virus protection can both form part of the defence strategy - to prevent intruders coming in and to prevent leakage of corporate data to unauthorised third parties.

You also need to employ competent and responsible people, train them properly and make sure they are suited for the duties given to them. Checking systems and segregation of duties are crucial, but often missed. An example is the collapse of the former Barings bank, essentially caused because its rogue trader was able to create an error account for his losses. Then he suppressed the reporting of that account to the bank's head office.

People who keep information systems ticking over must be appropriately screened to make sure that they are trustworthy before they are employed. People within IT departments often have unfettered access to corporate data that would be very valuable in the wrong hands. Worryingly, companies often do not make even the most basic checks on employees or contractors.

Working practices must be robust. That involves ongoing training – ongoing because practices, people and priorities change. But the importance of security never changes. There is a constant need to keep it uppermost in everybody's mind and have acceptable use policies in place. People under pressure, may be tempted to shortcut certain procedures. Checking systems are often the first to go.

You should control who has access to what. Passwords are the first step, but password control is generally poor. Passwords are often easy to guess, written down in accessible places, or shared freely with colleagues, and even shouted across open offices. They are infrequently changed and are sometimes not revoked when employees leave.

It is the connectivity that adds severity to electronic risk. To use a traditional example, the chances of a series of fires causing disruption at a number of geographically dispersed sites would be extremely remote. Yet, if a virus was to be spread across the corporate network serving each of those sites, they could all suffer simultaneous downtime.

Technology can help to solve security problems, but it must be configured correctly. The dangers from poorly configured protective devices, such as firewalls, are potentially acute. Gaps in any security strategy will allow hackers, former employees, or contractors to gain surreptitious access.

It may seem daunting, but with a methodical approach, there is a lot that corporate risk managers can do about this. This includes:

  • reinforcing security awareness among staff by regular bulletins and briefings
  • maintaining the security issue high on the corporate agenda by persistent lobbying.
  • compelling IT directors to share any security breaches with their board colleagues
  • reviewing the change control procedures within IT departments. Are they robust enough? Are they always followed?
  • checking the access rights of each employee, client, supplier and even people who no longer have access (or should have access)
  • reviewing any shared passwords across whole groups of users
  • checking that antivirus software is up to date
  • checking firewall configurations
  • considering an external IT audit
  • checking backup arrangements for electronic trading partners and outsourcing organisations. What business continuity plans do they have?
  • checking insurance cover. Does the business interruption policy have suppliers' extensions? Are electronic trading partners included?.
  • checking for any geographic limitations in the insurance cover. If data is stored outside the UK, territorial limitations may limit the cover in force.

    Our experience of electronic trading will grow in the future. Much will be based on the mistakes of the unfortunate businesses that have suffered losses, either through misfortune, or because they failed to manage their risks effectively. Make sure that your own business is not one of these. .

    John O'Neill is commercial projects director, Cunningham Lindsey United Kingdom, Tel: 0121 233 6771, E-mail: john.o'

    Pull-out quotes:
    Data is valuable and deserves protection

    Virus Primer
    What is the difference between a virus and a Trojan? Antivirus and content security software and services provider Trend Micro gives a useful primer on its website, using the term 'malware' – short for malicious software – to describe any malicious or unexpected program or code such as viruses, Trojans, and droppers. It says the main difference between a Trojan and a virus is the former's inability to replicate. Trojans cause damage, unexpected system behaviour, and compromise the security of systems, but they are not self-multiplying. A computer virus, on the other hand, is a program – a piece of executable code – that has the unique ability to replicate. Like biological viruses, computer viruses can spread quickly and are often difficult to eradicate. They can attach themselves to just about any type of file and are spread by files that are copied and sent from individual to individual.

    In addition to replication, some computer viruses share another function, a damage routine that delivers the virus payload, says Trend Micro. While payloads may only display messages or images, they can also destroy files, reformat your hard drive, or cause other damage. If the virus does not contain a damage routine, it can cause trouble by consuming storage space and memory, and degrading the overall performance of your computer. More than 60,000 viruses have been identified, and 400 new ones are created every month, according to the International Computer Security Association (ICSA). It is therefore likely that most organisations will regularly encounter virus outbreaks.

    Speedy Slammer
    A team of network security experts says that the computer worm that attacked the global internet recently was the fastest ever recorded. The report by the American National Partnership for Advanced Computational Infrastructure on the spread of Slammer says that the speed and nature of the worm represent significant and worrisome milestones in the evolution of computer worms.

    Computer scientists found that the Sapphire worm doubled its numbers every 8.5 seconds during the explosive first minute of its attack. Within 10 minutes of debuting, the worm was observed to have infected more than 75,000 vulnerable hosts. The infected hosts spewed billions of copies of the worm into cyberspace, significantly slowing internet traffic, and interfering with many business services. A single computer with a 100-megabit-per-second connection would allow the worm to scan 30,000 machines per second.

    The team found nearly 43% of the machines that became infected were located in the US, almost 12% were in South Korea, and more than 6% were in China. However, analysis of the worm revealed no intent to harm its infected hosts.