Economic damage from 'malware' has continued to soar this year.
It is a mistake to assume that only individual users or SMEs without sophisticated security systems are at risk. For example, a report from digital risk specialist mi2g's intelligence unit on 10 May said that variants of the recently-released Sasser worm had already caused between $14.8bn and $18.1bn of damage worldwide, with considerable disruption of organisations making up the global critical economic infrastructure. This included seven major financial institutions, three transport companies, and telecommunications provider Telecom Italia, as well as government agencies, universities, health centres and media organisations.
However well large organisations think they are protecting themselves against viruses, clearly they are not. It is not just a matter of ensuring that security practices and procedures are up to date, although this helps.
Shaun Cooper of AIG Europe's (UK) e-Business Risk Solutions, suggests that the best approach is to have multi-layered technical controls, such as firewalls, anti virus and detection software, combined with appropriate administrative measures, such as including protocols on e-mail use within employment contracts. "But companies must enforce the policies and procedures.
It is pointless having a fire wall if no one checks the error logs it produces. And if an employee is a serial offender, the company needs to take action against them."
AIG Europe recently introduced a new cyber attack extension for its mid-to-large commercial property policyholders, and Cooper says that companies benefit just by getting a quote. "The assessment looks at policyholders' network infrastructure, security procedures, practices and protocols.
It means that policyholders get a detailed objective review of their overall network environment."
Combating malware effectively over the long term is, however, likely to involve far more than individual organisations improving their security.
Recently mi2g produced a list of the top 10 lessons learnt from the MyDoom global epidemic, summarised as follows.
1 MONOCULTURE ISSUES AND LAW ENFORCEMENT: The global economy is digitally interlinked and currently too reliant on a single operating system. Governments need to encourage diversity of computing platforms and applications. Law enforcement agencies need to collaborate worldwide to bring computer criminals to justice.
2 EDUCATION: Governments and computer vendors need to do more to educate users on the dangers of leaving a computer in a standard configuration without applying appropriate security measures. Investment in strategy and training is essential in addition to the procurement of the right security hardware and software.
3 ARMY OF ZOMBIES: ISPs, and computer owners who are online, need to be more vigilant about denial of service attacks. Always-on online services should not be sold without appropriate firewall and anti-virus tool kit software. ISPs should agree on a global standard of vigilance and periodically check their customers to ensure that they are complying with the appropriate levels of protection.
4 UNRELIABLE COMPUTING: The world depends on computing much as if it were a utility service. However, computing does not presently display the same reliability as other utilities. This is a major shortcoming, which denies users a high quality of service, and endangers them by making life too easy for computer criminals.
5 OPPORTUNISTIC CRIMINAL ACTIVITY: The back doors left open on infected machines are quickly pillaged by opportunistic hackers on the prowl to get hold of credit card numbers, banking and online shopping details as well as other vital documents. The law enforcement agencies in most of the 200 infected countries remain largely unaware of the local criminal elements that take advantage of a global malware epidemic.
6 DATA AND COMPUTING SEPARATION: Vital data, and the computing platforms used for online access ought to be separate. In the long run it is preferable that people vault their data and retrieve it by thorough authentication, involving smart cards or biometrics, so that their compromised computers do not lead to data theft.
7 GROWING ECONOMIC DAMAGE: Fast spreading malware does not leave much time for post-event preparation. The survivors are those with security regimes that champion planning, preparation and contingency capability.
8 EARLY WARNING CENTRES: Every country should have an early warning centre to alert citizens through non-internet based channels whenever a global internet disruption or fast spreading epidemic occurs.
9 HOME USERS: Complex computer protection is no longer manageable by a lay person. Protection needs to be at the level of ISPs. It would offer higher levels of security if users were to dial into a centralised secure service that sheltered their data and money, while granting access only after a rigorous authentication process had been completed.
10 SOCIAL RESPONSIBILITY: Whenever computer users leave their machines online without security software, their carelessness can have consequences beyond their own lives. Vendors and law enforcers should do more to stress this.
Unfortunately, an ambitious global programme like this is some way in the future. Meanwhile, businesses need to invest in optimum security and have a sound plan to pick up the pieces should the worst happen.
INSURING AGAINST ATTACK
AIG Europe's cyber attack extension provides limits up to £15m for:
- Restoration and recovery costs for systems resources and information assets lost or corrupted by an attack
- Business interruption losses triggered after 12 hours, additional working expenses, forensic and investigation services after a network failure caused by a computer attack.
Cyber attack quotations are being provided to existing property policyholders and new business enquiries where there is a dependency on their computer networks.