ICI aims to eliminate the most critical security vulnerabilities in nearly 40,000 computer systems, stretching across manufacturing plants and offices in 35 countries, by the end of the year.
The chemicals company aims to carry out automatic monthly scans of its networks to identify critical security vulnerabilities, which could leave systems open to worms or hackers.
The project, which will be fully rolled out within six months, will give ICI the ability to lock down vulnerable systems within hours of a new worm or hacking exploit appearing on the internet.
“It is going to provide us with a wealth of information,” said Paul Simmonds, ICI’s global information security director. “It will enable us to respond to outbreaks in terms of which systems we prioritise. With an outbreak in the morning, we could be giving people priority machines to patch by early afternoon.”
ICI estimated that with worm infections costing similarly sized businesses between £100,000 and £1m per incident, the service would pay for itself by preventing just one major infection.
The system will allow ICI to map its global IT networks, identify which devices contain vulnerabilities and how much risk they pose, allowing patching to be prioritised, said Simmonds.
The system rates vulnerabilities from one to five, with level five representing a vulnerability that could allow a hacker direct access to a system without specialist tools, and level one a low-risk vulnerability.
“By the third quarter this year, I am expecting to see no level-five vulnerabilities, or just one or two that they are still trying to fix, a few fours and possibility a couple of hundred threes,” said Simmonds.
ICI plans to roll out the scanning service, managed by Qualys, across 335 sites worldwide, starting with the largest, over the next six months. It is training 60 IT staff to run the scans, analyse the results and to implement patches.
The biggest challenge has been persuading IT staff in different parts of the world to buy into the project, said Simmonds.
“We are doing it by osmosis. Getting the big sites to buy into it first, then it just becomes the norm. This is the tool you use and you are expected to do it,” he said.
ICI is one of the largest examples of vulnerability scanning, but the process is likely to become more common among smaller firms, said Graham Titterington, principal analyst at Ovum.
“People are going to realise that it is just something you have to do,” he said.