How would your business cope if you lost all of your PCs for a couple of days, or perhaps even a week? For most companies this would be nothing short of a disaster and for many organizations a less severe IT failure could have an equally catastrophic impact on the business. If you’re unlucky enough to lose a few critical systems, the damage can be just as bad as if your entire IT infrastructure had gone down.
The bad news is that all over the world there are teams of clever, determined people who would like nothing better than to see your computer systems come grinding to a halt. Computer viruses are becoming more sophisticated and dangerous than ever before, and the people who create them seem to grow more prolific every year. Roger Levenhagen, MD of Trend Micro (UK and Ireland) says, “We have to accept that we are in a bit of a virus writers’ war, there are these groups that are trying to outdo each other and it’s difficult to predict where it’s going to end. We have to accept that these people are smart. These aren’t kids writing viruses, these are organized groups, maybe with a hidden agenda of somehow through dubious means getting business out of this.”
According to the DTI’s Internet Security Beaches Survey 2004, 68 per cent of UK businesses suffered at least one malicious security incident over the past year. Of those companies, 70 per cent said that a virus infection was the worst kind of incident they faced. The report was released at the opening of this year’s Information Security conference at London Olympia. Speaking at the launch, Stephen Timms MP, Minister of State for Energy, e-Commerce and Postal Services said, “UK business is now using the Internet for business purposes as a matter purely of routine, and that is excellent news. But of course with that rapid adoption, that I’m very keen to encourage, does come significant risks and we can’t yet say on the basis of this survey that those risks are being sufficiently well managed by UK companies”.
The survey reports that the average cost of each organizations worst security incident was between £7,000 and £14,000 when measured across all UK businesses. When measured across just the large businesses, this figure rose to between £65,000 and £190,000. Putting a price on the damage a virus can do to your business isn’t always easy, but an understanding of just how much a security lapse can cost you is important to the process of mapping out a suitable security plan. Duncan Brown, UK consulting director at IDC, said “As long as you look at security as an IT issue, it will always get measured in those terms – things like downtime of your computer systems. You can put a figure to those things, but does that really reflect the total cost to the business? Does your investment in your security solution reflect the risk to the business? It may reflect the risk to the IT and the IT manager, but not to the business as a whole.”
Although serious virus attacks are becoming more frequent, the problem of spam is with us every single day of the year and this, arguably, presents a bigger problem for most organisations. Email is powerful and widely used tool (93 per cent of all UK businesses use email), but it’s in serious danger of being rendered unusable by the sheer weight of junk mail that users have to wade through to get at their genuine mail. The problem affects businesses to varying degrees. In the DTI survey a third of businesses said that spam was a major issue for them, but the same number said that it simply was not an important problem. According to research carried out for Sophos, 80 per cent of small businesses say that spam is dramatically affecting their productivity, but only 25 per cent have any anti-spam measures in place.
Since the volumes of unsolicited email are, in all likelihood, only going to increase in the foreseeable future it seems probable that spam is going to find its way further up the security agenda.
It may sound somewhat alarmist to say that things are getting much, much worse but this, sadly, is the truth. Viruses are becoming more frequent and increasingly sophisticated. Why is this? While talk of a ‘virus war’ may seem melodramatic, there is plenty of evidence to suggest that rival teams of virus writers around the world are engaged in an intensifying game of one-upmanship. Despite the fact that software vendors frequently release patches for operating systems and anti-virus software, new viruses seem to spread across the Internet with alarming regularity.
Many of the most widespread viruses of recent years were distributed as email attachments which required users to actively open them up so that they could execute and infect the system. These viruses relied on what is known as ‘social engineering’ – that is, fooling people into helping them spread. The ‘love-letter’ virus was a perfect example of social engineering, email users were told that the attachment contained a message from a secret admirer, who could resist opening it? Although they caused considerable problems at the time, these email viruses can be halted fairly easily by a combination of up to date AV software and user education.
More recent viruses such as Blaster and Sasser require no such user assistance and are capable of spreading themselves. These viruses exploit flaws (known as ‘vulnerabilities’) in Windows and other software which make it possible, with a bit of clever programming, for them to infect a machine without the user having to do anything. Once infected the computer can then be made to seek out and infect other vulnerable machines on the network.
Businesses should be particularly worried about the relatively recent development of ‘blended threats’. A blended threat involves a virus like program infecting your computer and then exploiting vulnerabilities in the operating system to allow a hacker to remotely access and manipulate the machine. This means that they could delete or copy your files, or even install a key-logging programme which records all of your key-strokes – an easy way of obtaining your passwords.
Blended threats represent a shift in the motivations of virus writers. Graham Cluley, senior technology consultant at Sophos said, “In the past it used to be typically teenagers who were showing off and displaying childish messages, nowadays it is much more likely that they are trying to steal your credit card details or open up your computer so they can hack in and exploit your system for their own ends.”
Another recent phenomenon is the increasing convergence of spam and viruses. As developed nations attempt to control spam through legislation the spammers are having to move offshore, or find alternative methods of operating. Increasingly viruses are being used to turn computers into ‘zombie PCs’ which are used by spammers to send out junk email without the users’ knowledge. By using a massive network of infected machines to send out their mail the spammers make it almost impossible for anybody to shut them down.
“We saw a number of viruses last year, in particular the mymail viruses, when they infected a computer they actually put in place a warhead that was designed to launch a DoS attack against anti-spam websites.” Said Cluley, “You have to ask yourself, why would a virus writer ever want to do that? That is only of interest to people who are in favour of spam and we cannot believe the typical virus writer actually likes spam, because it is as much of a nuisance to them as it is to the rest of us. The only people who would be interested are the spammers themselves. We believe the spammers are actively looking for compromised PCs to send their spam from. More than one third of spam is sent from these zombie computers.”
This raises an issue of corporate responsibility. By failing to implement adequate security measures, companies are contributing to a problem that impacts not only themselves but the business community as a whole. Inaction might lead to accusations of negligence. There may come a time in the future when governments and large organisations may insist upon a minimum standard of IT security in their suppliers and other small companies they do business with.
Symantec security consultant Jeremy Ward commented, “It has got to be the responsibility of everybody who connects to the Internet to make sure that their system is operating in a protected way because you cannot rely on legislation to make sure that it happens for you. It is no longer just a question of what is happening to you, but are you becoming part of something that is happening to other people?”
How does this affect SMEs?
The current security landscape presents smaller businesses with a unique set of problems. First among these is the lack of in-house IT expertise that most small companies suffer from, many are lucky if they have dedicated IT personnel, never mind information security specialists. This means that they are less able to deal with a virus attack as it happens, and less able to put in place an effective security system to protect against future attacks. Sure, many small businesses might have installed some anti-virus software on their desktops, but how many of them know that software is next to useless unless it is updated every day?
Also, small businesses are more likely to be using older operating systems such as Windows 95, which Microsoft no longer produces updates for, or Windows 98 which is likely to suffer the same fate in the near future. These systems were never designed to offer business strength security features, and without regular patching from MS they are easy prey for hackers and virus writers.
Smaller companies are becoming increasingly dependent on their web-sites and while their lower public profiles mean they are less at risk from denial of service attacks, such an attack will, in all probability, have a far greater impact on the business.
Until recently the SME market has been largely ignored by many security vendors, leaving them with the choice of expensive and complex software intended for the corporate market, or the basic and often poorly supported AV packages sold to home users. However, over the past few months the entire security industry appears to have targeted the SME market and now the problem is one of cutting through the jungle of marketing material to work out exactly what security measures to put in place.
IT security is a huge subject and while viruses and spam are the most obvious threats faced by businesses, they are not the only security issues you should be concerned with. The question is, where do you start? There are hundreds of security vendors vying for your business, and for organisations with little or no IT expertise the task of forming a workable security strategy can be so daunting that it is likely to be left forever on the back burner.
Before you even start thinking about what products and services you may need to invest in, it is worth taking a good look at your business and building a picture of your weak points. This does not need to be a complex process – simply look at your systems and ask questions like: How important is this to my business? Is it critical or could I survive without it for a month or two? Does it even need to be connected to the Internet, or would it function just as well as a stand-alone system?
Jeremy Ward of Symantec said “You do not need to have complicated security systems, sometimes you can simply disconnect it from the Internet. But until you have gone through that exercise of determining what is important, and why and how you can best protect it, you would not know that.”
It is also important to think about how any new security system would work with the resources you have available. For example, you might think that an intrusion detection system sounds like a great thing to have, but unless you are able to have a member of staff constantly monitoring the system and acting on any alerts, it is going to be practically useless.
If you are in doubt as to your own ability to implement and manage an effective security solution, the answer is simple: seek outside help. Seek a trusted channel reseller to help analyse your requirements and suggest appropriate solutions, or even consider completely outsourcing your security to a managed service provider. Companies that rely heavily on their IT systems and the Internet to do business should weight the cost of a managed service against the cost of a prolonged system outage. Brown said “You need to think holistically, you need to think of integrated solutions including AV and identity management and secure content management, and so on. Go to a channel partner and buy an integrated solution, possibly as a service.”