@ Computerweekly, © 2000 Reed Business Information Limited

The Love Bug

A lack of diversity among corporate IT systems allowed the virus to spread, aided by inadequate corporate policy. Guy Campos learns the lessons of Love

The I Love You bug was able to spread easily from one UK company to another because of a lack of "biodiversity" in systems, according to financial information security specialists. In nature, Darwinian natural selection has produced species that share enough genetic code to be interoperable but differ enough to vary in their susceptibility to diseases. And we should aim for similar diversity in corporate IT systems, says DK Matai, managing director of mi2g, which helps companies implement bespoke security controls.

Matai says IT managers can gain the power to shut down parts of an information network in the same way that a submarine commander can hermetically seal compartments within a vessel. Likewise, the ability to receive executable files can be restricted to members of the IT department and approved members of staff, with an IT manager acting as a gateway for other users. Executable files come in many forms, such as Word and Excel macros, but it is possible to detect hidden executables even if they are wrapped up in zip files, says Matai.

It is also possible to monitor any changes to a PC's configuration, such as a user downloading a Flash plug-in to view hot Web sites, with IT managers receiving an e-mail alert about the potential threat to data security. As with any IT investment, companies need to balance expense against the cost of failure, says Simon Owen, a senior management consultant at Arthur Andersen. And there are many companies that have yet to implement common sense controls such as putting in anti-virus scanners that are regularly updated by their suppliers.

"Companies have become so focused on speed to market that corners have been cut," says Owen. Companies can open every executable in a soundbox which tests the effect of the file before allowing it to proceed to its recipient. But this is costly, requiring an IT professional to supervise each test, and slows down communication - removing one of the prime benefits of e-mail. There has also to be a balance between technological controls and human resources policies. "It is quite clear that the Love Bug would not have spread so easily had personnel been reminded that they should delete any attachment that they were not expecting," says Matai.

The culture of sending jokes as executable attachments is rife and there is a need for the most basic education about the danger of e-mail, says Owen. Michael Chapman-Pincher, head of operations at The User Group, which advises on e-business issues, says that if employees are to take Internet security seriously a lead must come from the top. There should be a designated person responsible for security, the IT director or other senior member of staff.

Chapman-Pincher says many users still view e-mail as a novelty and open every message and attachment they get. They do not throw away unsolicited e-mail, as they would junk mail. However, he warned that attempts to restrict access to e-mail to limit the spread of viruses could make people feel excluded from the loop. Many people have huge e-mail address books because management wants to make them feel included and make it easy to communicate with anyone in the company. "But why should anyone have 1,800 names in their address book?" asked Matai.

He holds to a theory that there are four elements to e-security - not just the technological and the human but the legal and insurance aspects too.
In consultation with lawyers, companies should advise recipients of their e-mails that it is their responsibility to check for viruses. Companies can also now take out insurance policies to cover the cost of security failures. Despite repeated scares over Internet security, many users are still living in an age of innocence. "Corporate Internet access reminds me of flower power in the 1960s when people thought you could share your love with anyone," says Matai. "It was only later that people realised that there was no room for casual behaviour and so it will be with Internet security."