The enemy at the gates

Companies do too little to protect themselves from internet attacks. Stephen Pritchard has the answer
Click to follow
The Independent Online

Security is becoming a big headache for businesses. According to the Department of Trade and Industry, almost half of UK firms suffered some form of malicious security attack last year. And the figure - 44 per cent of all companies - does not include those that fell victim to a computer virus.

As the internet becomes more and more important to companies of all sizes, computer security is emerging as a far greater issue. Large businesses can afford to invest in dedicated computer security teams and sophisticated measures to detect and deal with intruders and viruses. Small and medium-sized firms, however, could be leaving themselves open to attack.

Companies are often highly conscious of the need for physical security, and lock up expensive IT equipment, such as servers, in secure rooms. But many do too little to protect their networks against either external intruders or disgruntled members of their own workforce.

"If someone steals a critical server it will almost certainly cause severe problems," says Nick Coleman, head of security services at IBM. "But a virus attack could have the same impact." All too often, businesses are unaware of how vulnerable they are, or they lack the expertise and resources to improve security.

As companies increase their use of the internet and move towards permanent, broadband connections, they are also more vulnerable to hackers either breaking into their systems, or using an innocent company's computer as a springboard to attack other networks.

"A hacker can download software from the Web to carry out what's known as distributed denial of service attacks," warns Bob Brace, a vice-president at Nokia Internet Communications. "They can be in and out of your system in seconds and leave a dormant piece of software that they then use to attack other networks. You could then face legal action if a hacker uses your computers to take out another site."

Unfortunately, businesses often only improve their security after an attack or because a client insists on tighter measures before agreeing to trade. But hackers are sophisticated at covering their tracks - and companies that link their computers to the internet without taking adequate security precautions could be compromised without even knowing it.

Virus attacks are easier to spot, but no less damaging. The IT industry estimates that the chance of a virus attack is growing by 15 per cent a year, despite greater security spending by businesses. The reason, it seems, is less that virus writers are targeting businesses directly. Instead, the increase in communication by email, and the fact that more people now have computers at home, are creating new ways for viruses to spread.

Computer viruses are small programs that spread themselves from computer to computer, usually through a floppy disk or CD-Rom that contains the virus, or through a file attached to an email. Some of the most active viruses spread by sending copies of themselves to everyone in a computer user's electronic address book. In this way, a virus can spread across the world in a matter of hours. Viruses such as "klez" even make it hard to keep to the usual rules of secure computing, such as not opening emails from unknown senders. The klez virus has a knack of taking on the identity of the infected machine's user, so merely being vigilant is not enough.

"Klez has infected the most PCs this year," says Jack Clark, a spokesman for the security and anti-virus company McAfee. "We have seen a huge crossover from viruses that would normally only affect consumers now infecting businesses."

Protection against viruses and hacking is possible by buying security software and installing it on desktop computers and servers. The trouble is that any security system is only as strong as its weakest link. Especially when it comes to guarding against viruses. One unprotected computer, such as a laptop, can expose all users to outside threats. For small companies, this might not be a problem but as businesses grow, keeping security software up to date can pose a real challenge.

The IT industry has two solutions: improving security management tools, and security devices that manage themselves. For companies with a reasonable number of IT professionals, better management tools allow support staff to carry out most updates to anti-virus and security software from their own desks, rather than by going from machine to machine to install new programs.

A better solution for companies that are growing quickly, or where IT is not the main area of expertise, is a so-called security "appliance". These boxes are about as plug-in-and-play as computer security can be.

In the simplest scenario, all a company needs to do is to plug the security device, usually known as a firewall appliance, into the internet connection. The office network is then connected to the appliance, and all the computers should be secure.

The simplest firewall boxes can cost as little as £200; Nokia, for example, sells its entry-level hardware firewall for around £300.

Similar devices can scan emails and Web traffic for viruses; anti-virus companies such as Symantec and McAfee, as well as networking companies, such as Nokia, and security specialists, offer a range of easy-to-use appliances. There are even some boxes on the market that offer both virus scanning and firewall security, although the experts say it is usually better to buy a purpose-built box for each job.

Once installed, appliances will automatically update the latest security software, although there is often a subscription for this.

But, as the analyst firm Meta Group estimates that most companies spend more on coffee than they do on computer security, the cost is small set against the peace of mind it brings.


* Create a security policy. This should not only cover how to block hackers or viruses but also give procedures on passwords, access to servers and even parts of the building.

* Keep security software up to date. Threats change all the time, and out-of-date security software can give a false sense of security. Pay for an update subscription or a managed service.

* Plan how you will respond to an outbreak of a virus or a hacker attack. Panic will only make matters worse.

* Keep back-ups: at least then if something does go wrong, you will not lose everything.

* Educate the workforce in security awareness: the more your people understand the importance of security, the safer you are.