Don't let virus panic skew your security strategy, use the experience to ensure all your contingency plans are up to date, says Graham Titterington.
The latest virus outbreaks are distracting enterprises from taking effective steps towards coherent security and business continuity strategies.
The triple strike from the Blaster, Nachi and Sobig viruses has raised the profile of IT security in the business community, but companies are focusing on details rather than solving crucial weaknesses in corporate systems.
This crisis has encouraged IT administrators to wrongly believe that security equals antivirus protection and it has sucked money from longer-term development into fire-fighting.
IT security should be about protecting all critical systems, processes and data. Companies should be carrying out risk analysis covering the entire IT environment, quantified in terms of the business processes affected and their importance.
Recent events should have seen managers dusting down their operational risk assessments and updating them. Until firms plan for the overall protection of their systems, similar attacks will happen again and again.
Contingency plans are needed for everything from the loss of an ISP connection to the loss of the data. The contingency plans must include the switchover procedures and, most important of all, the human issues. We have recently come as close as ever to a suffocation of the e-mail system: many ISPs experienced substantial delays in forwarding mail, and many e-mails that arrived were carrying unwelcome baggage.
Only by assessing how dependent their business is on the free flow of e-mails, and by working out alternative processes if e-mail stops can IT managers devise accurate contingency plans.
Updating antivirus defences and applying security patches to computer operating systems is important but these problems are minor compared with maintaining a coherent approach to security and business continuity.
Indeed, it may turn out that hackers have exploited this gap in vigilance to launch other kinds of intrusion.
What's your view?
Are you happy with your IT contingency plans? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
Graham Titterington is a senior analyst at Ovum.
This was first published in September 2003