It is common knowledge that viruses can damage businesses by
corrupting and deleting files, writes Graham Cluley.
In addition, they can strain relationships and dent an
organisation's reputation if inadvertently mailed out from a
company. However, in an increasingly litigious world, organisations
could now find that they are held financially and legally
responsible for the damage caused by their distribution of
malicious code.
An increasing number of companies are including clauses in their
contracts with suppliers and partners which set out which party
picks up the bill if a virus spreads between them. And, with the
introduction of legislation such as the Data Protection Act 1998,
directors now have a legal liability to keep their company's data
safe and secure.
Virus infections fall under the Data Protection Act because some
(known as "data diddlers") are able to modify files. There are even
examples of viruses multiplying cells in spreadsheets by 0.0000001
on one day every month. Such alterations are difficult to spot, but
over time they have serious data corruption implications.
Others viruses - for example 2001's Sircam worm - scoop up random
files from infected PCs and forward them to all Outlook contacts
via e-mail.
Insurance
Bearing in mind the Data Protection Act and
the increasing inclusion of these "cyber liability" clauses, it is
surprising that few businesses are insured against any form of IT
security breach. Indeed, according to a recent survey by
independent network consultancy Scalable Networks, only 11% of UK
companies have taken out any form of computer crime
insurance.
This lack of cover may be due to the complicated issues surrounding
cyber liability.
Firstly, it is difficult to ascertain exactly how much a virus
infection and clean up would have cost the injured the party.
Secondly, with the Data Protection Act stating that "reasonable"
measures need to be taken to prevent data loss or damage, it is
difficult to establish whether an infection was simply a case of
bad luck or was due to misuse or negligence.
Futhermore, these aspects of the Data Protection Act remain
untested - no UK director has yet been to court or even charged for
not keeping their company's data securely protected. What
constitutes "reasonable" measures still has to be legally defined,
but on paper at least, companies (and their directors in
particular) could be held liable.
Decreasing risk
Before the issue of liability is
properly defined in the courtroom, there are some guidelines -
particularly ISO 7799 - which can dramatically decrease the risk of
network infection. These best practice guidelines cover security
procedures, processes and staff training as well as tactical
product deployments.
In addition to following such guidelines, businesses should consult
with their insurance companies and negotiate premiums to cover
their online systems. These premiums should reflect their exposure
to risk, the value of the data held on their systems and the
measures which are in place to reduce their exposure to virus
infection and IT security breaches in general.
Of course, under the Computer Misuse Act 1990 it is illegal to
enter and/or modify another party's machine without their
permission. So we should not lose sight of the fact that the real
guilty party is the person who releases the virus into the wild.
To help bring these virus writers to book, businesses need to be
more forthcoming about reporting their security breaches. Without
such evidence it is difficult to prosecute and sentence virus
writers. More importantly, soft sentencing does little to deter
future cybercriminals, which is bad news for businesses.
Why you need to take action
- Companies are increasingly including clauses in contracts that
spell out which party is liable to pay for virus clean-ups
- Virus infections could leave directors in breach of the Data
Protection Act
- Only 11% of organisations have insurance against
cybercrime
- Firms may need to prove that they have taken "reasonable"
measures to protect themselves and other parties.
Graham Cluley is senior technology consultant at Sophos
Anti-Viruswww.sophos.com/