refresh(PIX) - Fotolia

What should I tell the board about viruses?

I have been asked to brief the board about our vulnerability to viruses, how the business could be affected and what we are doing to protect ourselves. What areas should I cover, and how much detail should I go into?

Present virus information in risk management terms

This issue should be presented in risk management terms when you talk to top management. In a straightforward and honest manner, you should present a summary of the threats, vulnerabilities and consequences using detailed examples from recent experiences within the company and across the industry.

Threats should be in terms of classes of actors (individuals, groups, nature) with capabilities and intents to use viruses. Vulnerabilities should be identified in terms of which computer systems and resulting business functions are susceptible to viruses; and consequences should be couched in terms of the potential harm that can befall the company as a result of viruses exploiting these vulnerabilities.

Consequences should be in business terms, including but not limited to the harm to the brand, the direct and indirect effects of corruption, the loss of availability, and the use of company systems by attackers after the virus is granted access, and loss of confidentiality.

Civil and criminal liability issues, regulatory issues and potential additional liabilities associated with failures in due diligence should also be identified. There is never a need or justification for scare-mongering. Management can only make sound business decisions on the basis of accurate information presented to them in the proper context.

Fred Cohen, Principal analyst, Burton Group

FredCohen will be speaking at Infosecurity Europe 2004 in the Grand Hall at London's Olympia, 27-29 April

Use familiar business language and keep it simple

The most important thing to remember when dealing with viruses and network protection is that this is simply an extension of the normal corporate security procedures in place in any organisation. Couching the briefing in familiar business terms will ensure that the board has a clearer understanding.

You should start with a broad outline of the security strategy, including the firewall and protection against e-mail and physically transported attacks. The cost to the business of a catastrophic failure of the systems infrastructure can be used to demonstrate the minimal cost of this protection when compared to the risk.

A graphic representation of the network, showing vulnerable points and countermeasures, will show where further resources are required. Do not be afraid to demonstrate high-risk areas - no company would consider leaving physical assets unprotected, so a protection system for the electronic assets with a cost in line with the assets it protects will make sense. Real world examples of virus attacks and associated downtime costs also add credibility and perspective.

It is extremely important you do not get technical. A worm, trojan or virus are the same things when you are protecting the whole business.

Colin Clark, Corporate cost audit manager, Somerfield

Colin Clark will be speaking at Infosecurity Europe 2004 at London's Olympia, 27-29 April

Explain the need to be prepared for trouble

If your computer systems do not have effective anti-virus solutions you will almost certainly suffer a malicious code attack, and the consequences could be dire.

First, you could be exposed to newly-identified vulnerabilities or signatures of newly developed malicious code until the anti-virus suppliers develop effective solutions and you have deployed them in your organisation.

Second, users who are not vigilant about their responsibilities to prevent computer virus infections will remain a weak link in the chain.

You cannot afford not to have effective defences and procedures to identify events that might slip through the net, and the incident response capabilities to contain and recover from them. You will be hit periodically, so you need to know what to do.

Recent press articles quantify the cost of computer virus or malicious code attacks in the tens of billions of pounds. This makes for good headlines, but for many, the impact could be reduced if anti-virus solutions and vulnerability management processes had been up-to-date.

Take this opportunity with the board to start their education about viruses within the overall context of information security. Ask them for help. IT departments are good at deploying anti-virus software and incident response procedures. People issues - such as getting users to do their bit - needs drive and commitment from board members to lead by example.

John Butters, Partner, Ernst & Young's IS practice

Use language the board will understand

First, explain the threat to the board in terms they will understand and that are specific to your company. Use scenarios and examples based on real-life business situations to show where you believe you are at risk, and why. Be prepared to back this up with more technical detail.

Having explained the problem, give the board a range of costed strategies to choose from, with your rationale and a list of pros and cons in each case. Say which you recommend and why, and be prepared to implement the results of their decision.

Second, bear in mind that this is all a question of trust. Executives have to decide whether they believe the picture you are painting, and that you are proposing the right response. How are you perceived by the board? Do they know you and trust your judgement on these kinds of issues? Will they see your guidance as genuine or an attempt at manipulation? Prepare well.

Chris Potts, Director, Dominic Barrow

Illustrate the risks to the business of poor security

Focus on what you need to secure the infrastructure and protect assets. Illustrate the risk to the business in terms of what damage that vulnerability could inflict on consumer confidence, your share price, or perhaps your ability to function as an essential part of a supply chain or service process.

Try to substantiate your points with comparable figures from your industry or sector - there are a growing number of good sources where information is available and realistically quantified - and do express the technologies you use or need to fund in terms of what they do, rather than what they are.

Ollie Ross, Head of research, Tif

Explain your defences to a worst-case attack scenario

Your vulnerability obviously depends upon your IT infrastructure and how well it is configured, protected and managed.

The board needs to be aware of the worst-case scenario. If you are doing nothing, every system could be infected so quickly and badly as to be unrecoverable. By the time you realise what the problem is, every networked server and PC could be destroyed. It may sound like scare-mongering but it could easily happen. The question the board would need an answer to is how long would it take to rebuild the servers and PCs and restore the data - and would the business be able to survive?

The minimum precautions I would recommend would be:

  • Educate your users to be more virus aware; not to open suspicious e-mails, especially file attachments, or click on e-mail embedded weblinks, or put floppy discs, CDs or USB storage devices in their PCs unless they have been virus-checked
  • Have good perimeter network anti-virus systems in place and make sure they are automatically updated on a regular basis (hourly). If you have the budget, consider using a messaging service such as MessageLabs to scan all incoming and outgoing e-mail
  • Implement on-demand anti-virus software on every networked PC and make sure virus signatures are regularly updated (daily). It is very easy for a user to bring in an infected laptop or disc and infect the network from within
  • Have a patching policy and ensure PCs have critical security patches applied, as most worms exploit known vulnerabilities.

Robin Laidlaw, President, CW500 Club

Talk about the operative effects of downtime

The briefing should address those issues that could directly affect operational, service and commercial continuity. This information should focus on the main route into the organisation, which must be adequately assessed with commensurate measures deployed for minimising the disruption caused from infiltration or intrusion. Intrusion detection methods and systems can be expressed in cost benefit terms.

The scale of vulnerability and operational exposure should drive the briefing. Key areas will be e-mail, operating system security gaps and the frequency of updates. The potential for loss from a commercial position should not be understated and should serve to highlight the organisation's security strategy.

As a prime focal point the key question is, "How long does the board feel is it acceptable for the organisation to be unable to operate or have zero external electronic communications?"

The extent and value of potential commercial damage, clearly industry- and sector-dependant, will have a direct bearing on the acceptability of any mitigation strategies proposed. Attributable cost for security-specific resources or external expertise should be linked to this and support a robust business case for defensive policies.

To avoid panic, you need to ensure that in all the discussions there is a sense of perspective to balance the relationship between vulnerability and costs.

Roger Rawlinson, NCC Global

Read more on Antivirus, firewall and IDS products