Damage control vital to antivirus policy

Businesses cannot expect to avoid hackers and viruses and must be able to respond quickly to threats, according to senior IT executives.

Companies should concentrate on their response to attacks, said Paul Stimpson, global head of technology risk management service delivery at investment back ABN Amro.

Speaking at the Infosecurity 2004 show Stimpson said "At some point you can guarantee you will get a virus in your organisation.

"You are going to get hit so start planning for it now. It's all down to how you manage the problem. Having a solid firewall isn't going to help you any more."

Gerhard Eschelbeck, chief technical officer for Qualys, cited the reverse engineering of patches as another major problem.

The time to reverse-engineer an exploit for a patch is shrinking to days, he claimed, and said companies should use an automated patch management system to allow them to focus resources on other areas of IT security.

John Meakin, group head of information security at Standard Chartered Bank, said it was inevitable that vendors would continue to produce software with vulnerabilities.

"This is a game of catch-up. Rule number one is to manage your time and look at how best to use it on your assets. Those who have experience in disaster recovery can apply some of the same skills to this."

David Lacey, director of security at the Royal Mail, said his company had centralised its IT infrastructure and patch management and found the system worked very well. But he stressed that users needed to be more careful.

"Education is very important, and that extends from users and staff and in the wider world," he said.