Virus attack Viruses can do irreparable damage. With the right safeguards this can be easily avoided, says Natasha Staley at Sophos. As too many organisations are aware, virus infections can be both destructive and farreaching. Nowadays it would be difficult to find a company whose everyday routine does not rely upon the smooth running of its IT infrastructure. It is therefore easy to see why a rather unpleasant can of worms is opened when that is compromised.

The nature of the virus threat

Damage to data One of the most talked about effects of a virus attack is the damage it can do to a company’s data. Many viruses are capable of wiping hard disks or corrupting the records held on a machine. Worse still are those viruses known as ‘data diddlers’, which subtly alter the figures in a spreadsheet or words within a document. Because the changes they make are not immediately obvious it can be weeks or even months before anyone notices that something is amiss. By that time the damage can be impossible to undo as back-ups are corrupted as well. That said, if a company does fall foul of a virus that simply eliminates data, backups can often be used to restore the lost information.

Clean-up costs Deciphering how much it costs an organisation to reinstate lost data, or to negate corruptions made by malicious code is an almost impossible task and depends greatly on the specifics of the virus in question. However, in most cases the IT department will be called in to perform the clean-up operation whilst the everyday running of the company has to be put on hold. This could mean that email is disrupted, a website becomes unusable and staff within the organisation are unable to perform their usual tasks. In a worst-case scenario it could mean bringing in an external party to help. As alarming as all of this sounds, data destruction is far from the worst thing a virus can do.

Spreading the infection There are some viruses, such as Melissa and Sircam, that are capable of randomly selecting documents from an infected PC and distributing them to the contacts listed in an infected user’s address article. The virus will not search for any document in particular – whether it happens upon your latest financial projections or your plans to merge with another company is really left to chance. The likelihood, though, is that if it is a document of that nature, there are certain people (quite possibly in your email contact list) whom you wouldn’t want to see it. A virus that sends out potentially sensitive information about a company can put it in a rather awkward position. Not only can a leak place competitors at an advantage, but suppliers, business partners and customers are also likely to find out that a business has allowed its security to be compromised by a virus. This can damage the trust of one company in another, as security is still very much a taboo issue. It can also make the parties that deal with a company feel vulnerable about the information they hold relating to them. Unfortunately, this kind of situation is not something that can be rectified easily. Building relationships and a credible reputation can often take years and yet can be practically wiped out in a matter of minutes. Re-establishing relationships and reputation is far from an overnight task, and, in some cases, they could be irreparably damaged.

Protecting against viruses However, it is not all doom and gloom. Virus infection is by no means inevitable for any company and the good news is that it is possible to protect corporate networks fairly easily.

Anti-virus software Probably the most obvious step to take is to install a reliable anti-virus solution that is updated regularly. Most anti-virus solutions are able to detect the majority of viruses; but the speed with which updates to protect against the latest viruses are delivered differs somewhat. Most vendors offer automated updating over the Internet but customers should check out exactly how often they will be updated.

Policy solutions Apart from the software there are other measures a company can take to protect itself against malicious code. One of these is to develop a safe computing policy whereby employees are informed of how to use their machines safely. Educating users about possible threats should begin at company induction stage so that members of staff know what is expected of them from the outset. It is astounding how many companies do not do this. You wouldn’t let someone drive around the M25 without a licence and yet people are placed in front of PCs and are expected to know how to use them correctly. A safe computing policy should include points such as not opening unexpected emails and not downloading material from the Internet. The vast majority of viruses are spread via the Internet and email, which is why this is so important. Even if an email is received from a known source it could still be infected, so it is worth questioning whether it was expected and whether it is in the apparent sender’s usual style. Many virus writers use extremely bad spelling and grammar, which can be an obvious clue as to what the email really contains. An email from a known associate in a foreign language should also set the alarm bells ringing! In addition, no files with double extensions should be executed. There are very few occasions when such a file would be legitimately required and the vast majority of them should be treated with suspicion. The simplest thing to do is to ask the sender to re-send the file with the correct extension. Another measure to include within such a policy is the saving of Word documents as rich text format (.rtf) instead of as documents (.doc). Docs support the macro language, which allows macro viruses to run – it is far more difficult to infect an .rtf file. Users should also be instructed not to open or forward joke, movie or graphics files. Although these filetypes are virtually unable to support viruses, malicious code can be disguised as a file of this type.

System procedures Network administrators should also employ measures such as disabling Windows Scripting Host, changing the CMOS boot-up sequence and blocking certain file-types at the email gateway. Some vendors include technology within their products that allows IT managers to prevent certain files from ever entering an organisation – this is certainly something to look out for when purchasing an anti-virus solution. A full list of safe computing procedures that would form a good basis for such a policy can be found at www.sophos.com/safecomputing.

Appropriate responses Another important issue for organisations to consider once a safe computing policy is in place is what to do should an employee contradict the guidelines and allow a virus to penetrate the company defences. The natural inclination of some businesses would be to punish the member of staff concerned, either by verbal or written warning or by dismissal. However, this is often not the most effective way of dealing with such a situation. If staff know that they face disciplinary measures should they be responsible for a virus infection then they are far more likely to attempt to cover up an incident, which makes it far harder to administer the clean-up once it does come to light. Ideally in that situation an employee should feel comfortable with coming forward and admitting that they have made a mistake. Only if they continue to ignore the guidelines should users be disciplined. Defending an organisation against malicious code of all types is not the sole responsibility of the IT department – every employee plays a part in protecting a company. The measures that are put in place do not have to be complicated, and if staff are encouraged to follow them from the outset they should become second nature.

Conclusions Anti-virus protection in today’s climate demands a multi-faceted approach. Gone are the days when simply installing the software was enough. That software needs to be maintained constantly, by vendor and customer, to ensure that it detects the maximum number of viruses. In addition to the software, all users within an organisation should be taught how to use their computers safely. They may not be able to have as much fun as they once did, but a workable balance between functionality and security has to be sought. Despite the horror stories of what viruses can do, it is worth remembering that it is possible to mount a comprehensive defence. Most virus incidents can be avoided relatively easily. The key to ensuring that an organisation remains virus-free is constant vigilance and attention. That may sound intimidating, but in view of the potential consequences of infection it is a small price to pay. Sophos, the Real Business/CBI Growing Business Awards Company of the Year, is a world leader in anti-virus protection. It is strongly focused on the corporate marketplace where its vision, commitment to research and development, and rigorous attention to quality have taken it from strength to strength. Sophos’s increasingly rapid growth internationally is reflected in a user base of well over 20 million and revenues that soared by nearly 50 per cent in the period 2001–2002. Sophos products are sold and supported in over 150 countries through a global network of subsidiaries and partners. In a field where virus numbers typically rise by up to 800 per month, Sophos’s foresight and innovative approach have kept it at the forefront of the market. For further information contact: Natasha Staley, Anti-Virus Consultant, Sophos Anti-Virus, The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire OX14 3YP. Tel: +44 (0)1235 559 933; Fax: +44 (0) 1235 544 114; Email: natasha.staley@sophos.com; Website: www.sophos.com