Bug Watch: UK plc is a risky business

Bug Watch: Each week vnunet.com asks a different expert from the IT security world to give their views on recent virus and security issues, with advice, warnings and information on the latest threats. This week's expert is Robin Dahlberg, managing director of Internet Security Systems(ISS).

To comply with the Turnbull Report, UK plc's need to start managing internet risk - and start managing it now!

The Turnbull Report, little more than a talking shop for the previous two years, reached a new milestone at the end of 2000 as the London Stock Exchange required listed companies to comply fully for the first time with the report's requirements for "internal control disclosure". Thus every listed company is now expected to publish in its annual report the internal controls it has in place to protect shareholders' interests as well as the company's assets. So in one fell swoop, the Turnbull Report has dropped responsibility for risk management directly onto the polished surface of Britain's leading boardroom tables.

Despite Turnbull's huge significance, the business technology press hasn't exactly overwhelmed its readers with a flood of column inches on the subject. This is odd, given that the emergence of the internet economy is doing so much right now to concentrate the minds of the CIOs, IT directors and others who carry the can for management (or mismanagement) of UK plc's information security risks. Despite the bursting of the ecommerce bubble, few British corporations can be under any illusion about their future if they don't get into ebusiness. Most recognise that sooner or later, ebusiness will be their business.

So even if it hasn't been high on the list of priorities until now, there is little doubt that risk management had better figure more and more largely in the life of IT managers as this year's company reports fall due. It is highly likely that intrepid British newshounds are going to start studying annual reports as they come out, looking at how the Turnbull guidelines are covered. If there is no reference to the risks associated with internet security in its annual report, it doesn't take a deck of Tarot cards to foresee what the company's press is going to be like.

But it gets worse. This year or next, a perceived failure by a British company to comply with the Turnbull recommendations is sure to lead to legal action on the part of disgruntled shareholders, business partners or customers for lack of due diligence in protecting their assets from the results of internet security breaches. The Yankee Group estimated the costs to US online businesses hit by last year's distributed denial of service (DDos) attacks to be an astonishing $1.2bn, so we're not talking about loose change here.

Among the threats facing businesses that utilise internet technologies are: damage to valuable data from attacks (whether by hackers or, more likely, disgruntled staff); corruption or loss of data caused by viruses or other forms of malicious code; and attacks that deny customers access to the business.

While we're on the subject of denial of service, the DDos attacks that took down the likes of Amazon and eBay in 2000 were launched from 'zombie' programs that hackers had planted in weakly secured servers. Think about the subsequent liability of an attack on a third party launched, seemingly, from another company's network!

When the stakes are so high, the need to act on internet risk management is imperative. If they haven't done so already, IT management should immediately determine current levels of security-related risk and gain board commitment to the investment in tools and skills required to manage that risk. Failing the ability to recruit the right skills (and they're currently as rare as hens' teeth), managers should look to combine dedicated cyber-insurance coverage with managed security services to transfer the risk they can't handle themselves. The alternative? Better seek employment with a company whose shareholders don't enjoy Turnbull's protection.

Next edition: 2 March