What should I tell the board about viruses?
I have been asked to brief the board
about our vulnerability to viruses, how the business could be
affected and what we are doing to protect ourselves. What areas
should I cover, and how much detail should I go into?
Present virus information in risk management
terms
This issue should be presented in risk management terms when you
talk to top management. In a straightforward and honest manner, you
should present a summary of the threats, vulnerabilities and
consequences using detailed examples from recent experiences within
the company and across the industry.
Threats should be in terms of classes of actors (individuals,
groups, nature) with capabilities and intents to use viruses.
Vulnerabilities should be identified in terms of which computer
systems and resulting business functions are susceptible to
viruses; and consequences should be couched in terms of the
potential harm that can befall the company as a result of viruses
exploiting these vulnerabilities.
Consequences should be in business terms, including but not limited
to the harm to the brand, the direct and indirect effects of
corruption, the loss of availability, and the use of company
systems by attackers after the virus is granted access, and loss of
confidentiality.
Civil and criminal liability issues, regulatory issues and
potential additional liabilities associated with failures in due
diligence should also be identified. There is never a need or
justification for scare-mongering. Management can only make sound
business decisions on the basis of accurate information presented
to them in the proper context.
Fred Cohen, Principal analyst, Burton
Group
FredCohen will be speaking at Infosecurity Europe 2004 in the
Grand Hall at London's Olympia, 27-29 April
Use familiar business language and keep it
simple
The most important thing to remember when dealing with viruses and
network protection is that this is simply an extension of the
normal corporate security procedures in place in any organisation.
Couching the briefing in familiar business terms will ensure that
the board has a clearer understanding.
You should start with a broad outline of the security strategy,
including the firewall and protection against e-mail and physically
transported attacks. The cost to the business of a catastrophic
failure of the systems infrastructure can be used to demonstrate
the minimal cost of this protection when compared to the
risk.
A graphic representation of the network, showing vulnerable points
and countermeasures, will show where further resources are
required. Do not be afraid to demonstrate high-risk areas - no
company would consider leaving physical assets unprotected, so a
protection system for the electronic assets with a cost in line
with the assets it protects will make sense. Real world examples of
virus attacks and associated downtime costs also add credibility
and perspective.
It is extremely important you do not get technical. A worm, trojan
or virus are the same things when you are protecting the whole
business.
Colin Clark, Corporate cost audit manager,
Somerfield
Colin Clark will be speaking at Infosecurity Europe 2004 at London's
Olympia, 27-29 April
Explain the need to be prepared for trouble
If your computer systems do not have effective anti-virus solutions
you will almost certainly suffer a malicious code attack, and the
consequences could be dire.
First, you could be exposed to newly-identified vulnerabilities or
signatures of newly developed malicious code until the anti-virus
suppliers develop effective solutions and you have deployed them in
your organisation.
Second, users who are not vigilant about their responsibilities to
prevent computer virus infections will remain a weak link in the
chain.
You cannot afford not to have effective defences and procedures to
identify events that might slip through the net, and the incident
response capabilities to contain and recover from them. You will be
hit periodically, so you need to know what to do.
Recent press articles quantify the cost of computer virus or
malicious code attacks in the tens of billions of pounds. This
makes for good headlines, but for many, the impact could be reduced
if anti-virus solutions and vulnerability management processes had
been up-to-date.
Take this opportunity with the board to start their education about
viruses within the overall context of information security. Ask
them for help. IT departments are good at deploying anti-virus
software and incident response procedures. People issues - such as
getting users to do their bit - needs drive and commitment from
board members to lead by example.
John Butters, Partner, Ernst & Young's
IS practice
Use language the board will understand
First, explain the threat to the board in terms they will
understand and that are specific to your company. Use scenarios and
examples based on real-life business situations to show where you
believe you are at risk, and why. Be prepared to back this up with
more technical detail.
Having explained the problem, give the board a range of costed
strategies to choose from, with your rationale and a list of pros
and cons in each case. Say which you recommend and why, and be
prepared to implement the results of their decision.
Second, bear in mind that this is all a question of trust.
Executives have to decide whether they believe the picture you are
painting, and that you are proposing the right response. How are
you perceived by the board? Do they know you and trust your
judgement on these kinds of issues? Will they see your guidance as
genuine or an attempt at manipulation? Prepare well.
Chris Potts, Director, Dominic Barrow
Illustrate the risks to the business of poor
security
Focus on what you need to secure the infrastructure and protect
assets. Illustrate the risk to the business in terms of what damage
that vulnerability could inflict on consumer confidence, your share
price, or perhaps your ability to function as an essential part of
a supply chain or service process.
Try to substantiate your points with comparable figures from your
industry or sector - there are a growing number of good sources
where information is available and realistically quantified - and
do express the technologies you use or need to fund in terms of
what they do, rather than what they are.
Ollie Ross, Head of research, Tif
Explain your defences to a worst-case attack scenario
Your vulnerability obviously depends upon your IT infrastructure
and how well it is configured, protected and managed.
The board needs to be aware of the worst-case scenario. If you are
doing nothing, every system could be infected so quickly and badly
as to be unrecoverable. By the time you realise what the problem
is, every networked server and PC could be destroyed. It may sound
like scare-mongering but it could easily happen. The question the
board would need an answer to is how long would it take to rebuild
the servers and PCs and restore the data - and would the business
be able to survive?
The minimum precautions I would recommend would be:
- Educate your users to be more virus aware; not to open
suspicious e-mails, especially file attachments, or click on e-mail
embedded weblinks, or put floppy discs, CDs or USB storage devices
in their PCs unless they have been virus-checked
- Have good perimeter network anti-virus systems in place and
make sure they are automatically updated on a regular basis
(hourly). If you have the budget, consider using a messaging
service such as MessageLabs to scan all incoming and outgoing
e-mail
- Implement on-demand anti-virus software on every networked PC
and make sure virus signatures are regularly updated (daily). It is
very easy for a user to bring in an infected laptop or disc and
infect the network from within
- Have a patching policy and ensure PCs have critical security patches applied, as most worms exploit known vulnerabilities.
Robin Laidlaw, President, CW500 Club
Talk about the operative effects of downtime
The briefing should address those issues that could directly affect
operational, service and commercial continuity. This information
should focus on the main route into the organisation, which must be
adequately assessed with commensurate measures deployed for
minimising the disruption caused from infiltration or intrusion.
Intrusion detection methods and systems can be expressed in cost
benefit terms.
The scale of vulnerability and operational exposure should drive
the briefing. Key areas will be e-mail, operating system security
gaps and the frequency of updates. The potential for loss from a
commercial position should not be understated and should serve to
highlight the organisation's security strategy.
As a prime focal point the key question is, "How long does the
board feel is it acceptable for the organisation to be unable to
operate or have zero external electronic communications?"
The extent and value of potential commercial damage, clearly
industry- and sector-dependant, will have a direct bearing on the
acceptability of any mitigation strategies proposed. Attributable
cost for security-specific resources or external expertise should
be linked to this and support a robust business case for defensive
policies.
To avoid panic, you need to ensure that in all the discussions
there is a sense of perspective to balance the relationship between
vulnerability and costs.
Roger Rawlinson, NCC Global
