'When it comes to protecting your fleet IT system against viruses and other malicious attacks, the focus is often on technological solutions like anti-virus software. In reality, your own employees are more likely to be the biggest area of risk.
This has been underlined by the spread of the Mydoom virus, which has caused problems among many fleets. Mydoom is widely acknowledged to be the most virulent virus ever, infecting up to one in 12 of all e-mails sent. It spreads as an e-mail attachment and, if opened, copies itself to other e-mail addresses, as well as potentially allowing unauthorised remote access by hackers to infected machines.
However, Mydoom – like many viruses – only works if you manually open the e-mail attachment in your inbox. It takes a person to do this and this is precisely what has happened in the fleet departments across the UK where problems have occurred.
Many smaller fleets that we visit do not have a formal IT security policy but most organisations of any size have one in place that probably forbids the opening of attachments from sources that are not known to the recipient of the e-mail. But in a surprisingly large number of businesses, these policies are pretty much ignored.
A recent survey by Computer Weekly magazine of 200 IT security professionals showed that the level of security awareness among the vast majority of end users was generally perceived to be patchy, quite low, or very low. And it is these people who are the genuine security risk to your fleet IT operation.
The human element also plays a major part in the failing of technological answers to virus attack. The best example here is the laxity with which anti-virus software is kept up-to-date. Anti-virus software is a reactive tool – your software provider writes continual updates based on new viruses or other security threats that it becomes aware of. Dozens, sometimes hundreds of new viruses are found every week, so it is essential to download updates regularly. However, we often visit fleet departments where the person responsible for this key task hasn't updated for months.
So, how should fleets tackle this problem? There are practical steps to take but the main thrust must be the creation of a culture that takes security seriously.
The first step is to undertake an IT security assessment.
Questions need to be asked like: is our security policy comprehensive? Who takes responsibility for IT security? Do we have adequate software barriers in place? Where is attack likely to come from and how should we respond to it?
Part of this task should include auditing the data stored on your system – do you know what you have and is it regularly backed up so that, in the event of problems, you can get back up and running again quickly?
This could mean closer control over which internet sites your employees are allowed to visit and stringent guidelines over who they swap e-mails with. A good example are the 'funnies' employees often send to groups of friends as mass mailings – these are classic routes through which viruses spread and should be stopped completely.
It also means making people aware that your fleet data is a valuable asset, and that any external threat to it will seriously affect your organisation.
Finally, it is worth explaining to end-users exactly what the results of lax IT security could be. A virus is generally a nuisance but is one that could take your organisation days or weeks to be rid of and could easily affect almost all your customers and suppliers; theft of valuable data from inside or outside your company could have a major impact on your business; malicious external hacking, though thankfully rare, could literally bring your fleet operations to a halt. These are serious issues.
Looking back to Mydoom, there was a huge difference between those fleets which had adequate IT security in place and those that didn't.
The former solved the problem in a matter of hours, the latter may still not have found a solution.'