How can you be sure your organization doesn't have insidious viruses or other malware lurking within systems and applications, waiting to inflict damage? You can't.
Malware has grown sophisticated to the point where there's no guarantee that it's actually gone, even when you've applied the latest antivirus software. Making matters worse, IT infrastructures are becoming much more complex -- with an ever-growing population of devices that give malware even more possible entry points.
[ Your executives are big, fat, juicy targets for spearphishing attacks. Learn how to protect them from being harpooned. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]
These days, you have to assume there are some infected PCs or other devices on the corporate network.
Get used to it: Malware is everywhere you go
The malware problem is getting worse. According to the Ponemon Institute's 2011 State of Endpoint Risk study, 43 percent of the 782 U.S.-based IT and IT security professionals surveyed reported a "dramatic uptick" in malware in 2010. Fully 98 percent of the organizations surveyed by Ponemon experienced a virus or malware-based network intrusion, and 35 percent said they had experienced 50 malware attempts within a span of just one month, or more than one intrusion per day.
"The current batch of malware we're seeing is very sophisticated and well written, and it hides itself well and avoids detection well," says Fred Rica, principal in the information security advisory practice at the PricewaterhouseCoopers consulting firm.
The good news is that this "living with malware" scenario doesn't have to lead to lost data, unavailable systems, or other problems. Companies can and do function despite these intrusions.
Here are some approaches that can help minimize the effect of malware on your network and in your systems so that your company can carry on with business despite the nagging presence of these troublesome programs.
Malware survival tip No. 1: Practice good data governance
You can help minimize the damage caused by malware by more effectively protecting the specific types of data that many of the malware programs are going after in the first place. In a lot of cases, they're looking to exploit sensitive data such as personal information, trade secrets, research and development findings, and other intellectual property, Rica says.
PricewaterhouseCoopers is working with many of its clients to create a strong data governance model that helps the organizations better understand what their most critical data is, where it's stored, how it moves on the corporate networks, and how they can put the right controls in place to maximize the security of that information.
An audit of the information assets at many companies will show that sensitive data such as customer credit card numbers is initially well-guarded, Rica says. But eventually it ends up in less-protected applications such as spreadsheets or emails, where it is more susceptible to malware.
"We've seen clients lose tens of millions of credit card or Social Security numbers because they're in spreadsheets somewhere outside the HR system," Rica says. "Our approach is to use better data governance models so that this data has the same [security] controls around it regardless of where it resides. Make sure the data is protected through all stages of its lifecycle."
Because all data is not equal, a key part of data governance involves categorizing information so that you can identify which data is most critical to the company and its customers. From there, you can apply more stringent access controls.
"Start to separate the infrastructure based on what are your crown jewels versus what's costume jewelry," says Patricia Titus, chief information security officer at technology services provider Unisys. Titus says Unisys uses guidelines created by the National Institute of Standards and Technology (NIST) designed to help organizations characterize the importance of their data and select the right security controls.