With the Trojan horse of laptops, viruses find a way through the network firewalls

As more and more companies equip their staff with portable machines, so software criminals have found a weak link in heavily fortified office IT systems. Stephen Pritchard reports
Click to follow

Computer security experts could be forgiven for feeling under pressure. Last week, the National Hi-Tech Crime Unit (NHTCU) reported that 97 per cent of UK companies had experienced a virus attack, on average nearly 16 times a year - a problem that cost them hundreds of thousands of pounds each to deal with.

Computer security experts could be forgiven for feeling under pressure. Last week, the National Hi-Tech Crime Unit (NHTCU) reported that 97 per cent of UK companies had experienced a virus attack, on average nearly 16 times a year - a problem that cost them hundreds of thousands of pounds each to deal with.

Consultancy firm Deloitte issued a warning that over the next 10 years, companies will be increasingly vulnerable to computer-based attacks, especially as more and more people use mobile gadgets including phones, laptops, music players and gaming devices, as well as wireless data connections such as WiFi. And a survey by Dynamic Markets, carried out for security software company Websense, found that 71 per cent of IT managers believe company laptops pose a risk.

Dynamic Markets also found that businesses are ignoring the threat: only 21 per cent of companies surveyed had restrictions or policies covering how employees should use company laptops outside the office.

Over the past few years, large companies have invested heavily in so-called "perimeter" security: firewalls, virus-detection software and systems to monitor intrusions. These measures can, though, make computer users complacent. Step outside the company network and you are on your own as connections such as home broadband will not provide the same protection.

The problem is becoming more acute for businesses as they replace desktop PCs with portable units, for laptop users often do not realise how much more vulnerable they are. Nor are they fully aware of the problems that can arise when they make personal use of a company computer.

"Of all the things an IT department can give someone, laptops and mobile phones are the most likely to morph into a personal possession. That becomes a risk factor," warns Simon Perry, security expert at Computer Associates, the software giant. He points out that problems range from executives lending their laptops to the kids to use as portable DVD players, to staff surfing the darker recesses of the internet from a hotel broadband connection.

The authors of malware - software that infects computer systems causing damage and, possibly, harvesting confidential data - are sophisticated. Instead of trying to hack into company systems that sit behind powerful firewalls, they hide malicious code in other applications or attachments. Adult websites and file-sharing services are favourite targets.

Once downloaded to a vulnerable machine, malware can lie undetected for days or even weeks. But as soon as that computer connects to the corporate network, the software will quickly move to infect other machines.

Last year, Colorcon - a pharmaceutical company that lost a mail server to the common Netsky virus - traced the outbreak back to a laptop user. The virus, like much of the current generation of malware, had not affected the laptop. But it took less than a day for it to infect the network.

Often, companies let users of portables install or delete software as they see fit, whereas IT departments are more likely to restrict the use of desktop machines. But there is also evidence that hackers and criminals are actively targeting both portable computers and home broadband connections because they are a weak link in companies' security strategies.

"There has been a huge rise in the number of compromised broadband networks," says Mark Murtagh, European technical director for Websense. "The fact is that computers are taken home and left online for long periods, downloading movies and so on. We are seeing webservers being set up [on laptops] and being used as part of networks for spam - or having phishing websites set up on them." (Phishing is when a program steals personal or financial information.)

Companies can take steps to protect their mobile workers, for example by installing firewall, anti-virus and website-blocking software on their laptops. But this is rarely a perfect solution, not least because it is hard to keep such software up to date for staff who are rarely in the office.

"A day's worth of network loss can cost a business hundreds of thousands of pounds," says Mike Maddison, director of security services at Deloitte. "But for threats such as Trojans, which exploit vulnerabilities in Microsoft software, the only way to respond is to patch [update] the machine. That is difficult to do centrally, so you may have to walk the floor with the software on a CD. Until you update the last machine, you are still vulnerable."

This adds to the threat posed by laptop computers, as they might not be patched and so could reintroduce those same vulnerabilities that the companies think they have removed.

The situation is made worse by the way in which many corporate networks deal with security. If a "trusted" computer, such as a company laptop, logs on to the network, the security system does not monitor it any further.

This can even apply when road warriors log on from a hotel or home using a secure virtual private network. The VPN protects the connection between the laptop and the office, but it does not screen the data moving between them. If a piece of malware is on the laptop, it can then move unhindered on to the corporate network.

Computer companies are working on systems that will quarantine laptops that do not meet corporate security requirements, and monitor all machines for unusual activity. But even the experts admit that these systems are still far from perfect.

Rather than relying on technology alone, the answer could well lie in better policies for IT use and better education. According to Graeme Pinkney, head of threat intelligence for Europe at computer security company Symantec, IT managers have to accept that they no longer have a single parameter they can defend.

Instead, it is mobile users who form the front-line defence against hackers and cyber criminals. "A lot of this is down to education," says Mr Pinkney. "Once a laptop is outside the corporate network, it is hard to get away from hotspots, for example. You want to be able to catch up on your email." However, if computer users are made aware of how dangerous some parts of the internet can be, they are much less likely to stray there.

Colorcon, for its part, has bought software that controls what its mobile users can and cannot set up on their laptops. This prevents Trojans and other malware applications from installing themselves on company computers, unbeknown to users.

Since the software went live, says Colorcon's global Windows administrator, Russell Ryan, the company has had no problems with viruses or spyware.

Other companies with large numbers of mobile users will want to follow Colorcon's example, before they too learn about laptop security the hard way.