The recent Blaster and Sobig-F outbreaks have once again highlighted that companies are not always protected against the latest viruses or patched against vulnerabilities in computer operating systems.

Leaving any hole in your IT network is an invitation for a security breach, and with the advent of the Data Protection Act, virus infections and hack attacks are no longer just costly inconveniences, they could leave company directors facing litigation for allowing private data to be accessed illegally.

Unfortunately, all companies relying on technology are vulnerable to security breaches. Viruses are not fussy about who they infect – once a virus is in the wild, there is little control over how it spreads. Hacking is much more targeted, but smaller companies shouldn't feel exempt from the attention of hackers. Smaller networks are often used as training grounds for would-be hackers or as shortcuts into the networks of larger organisations.

This is particularly a problem for growing businesses which are faced with the challenge of few dedicated IT resources but the same threat as larger organisations. A greater reliance on remote working makes a watertight security policy even more difficult to enforce. However, there are some simple steps that any business can implement to dramatically reduce the chance of falling victim to a breach.

Security audit

First, you can conduct a security audit. Many firms now offer penetration testing, where experts hack into a network to test its integrity and discover where there are weak spots. In an ideal world, such audits would take place on a regular basis as threats are always changing.

Next comes the implementation of security products, but companies should realise that the risks do not disappear with the purchase of anti-virus software or a firewall. In 2002, research from 3i found that 80% of firewalls were configured incorrectly – a firewall is worthless unless it is properly set up and regularly patched. Similarly, up to 800 new viruses are identified every month so it is essential that protection is always up-to-date. Microsoft and other software vendors often warn of vulnerabilities in their operating systems, so firms should subscribe to their alert services and patch any holes. Patching and updating may seem an onerous task, but anti-virus updates can be automated (even for remote workers) and firewall configuration can always be outsourced to a specialist.

To beef up security still further, consider blocking email attachments with multiple extensions and banning certain file types – blocking .PIF and .SCR files would have prevented infection from Sobig-F and few businesses need to send or receive such file types. These threat reduction techniques cost nothing.

Alongside the technical stuff, companies need policies which govern the use of computers. Employees are usually the weakest link in the security chain, so should follow the rules of safe computing. It is also worth examining whether everyone needs internet access or instant messaging, and those with email must be educated about opening unsolicited attachments.
Ultimately if a security policy is to be effective, all members of the company must actively participate.

Graham Cluley, is a senior technology consultant at Sophos –