Love Bug: learning the lessons

An integrated security strategy is the best defence

An integrated security strategy is the best defence

The "love bug" virus has cost users an estimated $10bn worldwide - mainly in lost work time. Most users are not insured for that kind of loss, so it is value wiped forever from the world economy. The disaster was initiated by a single hacker.

Recriminations have started and, if you're looking for someone to blame, you pay your money and take your choice.

Microsoft was at fault, says analyst GartnerGroup. Dumb users are to blame says Microsoft, adding helpfully that "it is not a technology issue". People who skimp on virus protection were culpable say the anti-virus suppliers. Meanwhile a coalition of Linux-lovers, Unix suppliers and Mac users is engaged in a festival of hubris.

Before we look for culprits - and solutions - it's worth taking stock of the size of the problem. Even as you are reading this, a week after the virus first hit, your department will be dealing with the aftershocks. Imagine what could have happened if a team of sophisticated software engineers, backed by organised crime or even a rogue national government, had unleashed the virus.

Unless we come up with some better protection than at present for the virus threat, our systems could be facing a major catastrophe in the near future.

Microsoft is an easy target and, at first sight, looks culpable. The inclusion of macros in basic desktop software is one of those things that looked like a good idea at the time but wasn't.

Microsoft protests that its market dominance, and the prevalence of its software, makes it the prime target for virus writers - not technology glitches. That is also true. But it is probably a bad thing all round for the dominant operating system and the dominant desktop apps to have so many holes into which rogue code can be fired.

On the face of it, the vulnerability of Outlook, Word and Windows to successive virus attacks gives a huge boost to the case for open source software. Linux discussion sites were awash with self-satisfaction as the bug took down corporate systems across the globe.

But if Linux or another open source Unix were ever to become the dominant system it would be just as soft a target as Microsoft. The best defence, at the level of technology seems to be layer upon layer of proprietary software, with virus resistance at the core of the value proposition to the user.

Over and above the technology, of course, there remains the human weakness at both ends of the infection chain. Daft end-users and reckless cyber-pranksters are easy targets to heap blame on.

But these are not the real problem. We have to accept that they will always exist, and that our human systems have to be designed to minimise their impact. In a fluid labour market, how many new employees are ever properly introduced to good desktop security practice? In a competitive economy, how many front-line managers turn a blind eye to sloppy security to get the job done? And how many senior managers really understand the return-on-investment case for strong anti-virus protection?

No company is an island. Your organisation is part of a huge global data-processing machine. You need a bottom-to-top security solution - but no single supplier will provide it. You need a pro-active solution - but you can never quantify the return to the business. You need expert IT security staff - but few exist and they cost the earth.

Above all, you need an integrated security strategy.

More e-security news

Read more on Operating systems software