It’s the same old tune, and we’re all getting tired of hearing it. Another e-mail virus is stalking the Internet, trashing computer systems, or just being annoying.
Time to listen to the experts—and get off the merry-go-round that spins you through the “discover the virus, fix the effect of the virus” cycle.
When the ILOVEYOU virus struck, TechRepublic's security columnist John McCormick had matters well in hand. “The only problems any of my clients faced was a surge of e-mails, which they had to delete without opening.”
His clients know the cardinal rule of e-mail virus prevention—never open an attachment you aren’t expecting, even from someone you know.
How can you achieve the same level of success as McCormick's clients? Computer security experts offer these suggestions:
- Establish your acceptable level of risk and implement a security policy.
- Train employees to stay within your level of acceptable risk and policy and continually remind them of the policy.
- Share the responsibility for fulfilling the policy.
Tell me where it hurts
An e-mail virus on the Internet is analogous to a virus in the human body, according to Internet security expert, William H. Murray, executive consultant, IS security, Deloitte Touche Tohmatsu .
The Internet will produce antibodies to combat any virus that infects it, Murray said.
“The Love Bug virus goes out today, it gets noticed today, and it’s all over the place,” he said. “Lots of people are going to be damaged by it, but in two days' time the Love Bug is going to be shut down.”
How damaging does a virus have to be before your company’s profits and resources start yelling “Uncle?”
The damages from viruses last year amounted to about $29.2 million, according to a recent report released by the Federal Bureau of Investigation and the Computer Security Institute .
With that much money on the line, some companies might want to restrict e-mail use to mail that is expected and from known sources.
“If I was an enterprise and I wanted to implement that kind of a policy, I would have to automate it because I couldn’t rely upon my users to enforce it,” Murray said. It nearly always ends up in the IT department’s lap, but a policy can transfer that responsibility to the end users and their supervisors.
Such policy decisions might include installing antivirus software on all machines connected to the network or filtering all traffic through the firewall, both coming and going, to keep viral attacks out and to ensure the company doesn’t propagate them.
Train and remind employees
According to McCormick, regularly updating virus software and tracking security threats to your network is a full-time job for someone, and your company may not be able to afford that.
“On the other hand, almost anyone can teach the basics of proper e-mail security, so this doesn't even need to take up the valuable time of a security specialist as long as some qualified person designs the training program and approves the basic security rules,” he said.
Software alone isn’t going to keep your employees from opening up an attachment they aren’t expecting from someone they may or may not know, McCormick said, whereas “education alone can.”
However, it's also important to realize that education isn’t a one-time shot, and simply putting it in the employee manual isn’t going to hack it. Someone needs to explain the company policy and why it exists. Maybe a poster or two on occasion might help remind employees of the need for caution.
“In some cases, a screen saver with a warning might be a lot more useful than flying windows,” McCormick said.
Got a policy but no one to keep track of all the threats and software updates for you? You might want to outsource this function to a company such as MailZone or USA.NET.
MailZone is a service offered by Allegro, a subsidiary of e-mail service provider Mail.com. MailZone allows clients to configure their e-mail servers to allow its service to screen all incoming and outgoing messages for viruses or material such as profanity, pornography, racial slurs, and other objectionable content.
According to Allegro president, Aaron Fessler, the only function of MailZone is to handle e-mail screening to meet a company’s policy requirements. To do that, the company has people working round the clock watching for viruses and maintaining its services, he said.
“The main thing about this is that our clients aren’t required to install additional hardware or software,” Fessler said. So when ILOVEYOU struck, "our [client] network administrators got out of bed that Thursday morning and really didn’t need to do anything at all to prevent getting that virus.”
Share the responsibility
The point of having a security policy for e-mail is to save the company potentially great expense and lost productivity. If you fear those results from security lapses, you need to share that concern with your employees in a realistic way.
That may be as simple as telling your employees to trash any unexpected attachment to an e-mail without opening it or face disciplinary actions if they jeopardize company resources.
If you say you’re going to fire anyone that spreads a virus, you will soon be out of employees, Murray said. “You can say, 'If you get a brand new virus and you spread it, that’s okay. If you get a three-day-old virus, and you spread it, you’re in deep doo-doo.'”
If the company tells employees to update their virus definition files, that transfers a portion of the responsibility for the company’s security to employees. Automatically updating the persistently connected users is a better option for most companies, he said, but for companies with users on remote or portable computers, it remains a problem.
Did your company feel the bite of the Love Bug? What about the variants that followed? If you keep facing this problem over and over, what do you plan to do about it? Post your comments below or send us a note.