Why you or your staff need to take action even though you believe your IT staff already deals with these problems
When you read about viruses and worms running rampant through the internet, you probably sigh with relief, sure in the knowledge that your crack staff is on top of the problem.
Well, don’t sigh so soon. According to a paper by Eric Rescorla of RTFM, Inc. (http://www.rtfm.com/upgrade.pdf), “Two weeks after the bug announcement, more than two thirds of servers were still vulnerable.” For the curious among you, after a week only 23% of shops have taken appropriate steps to eliminate the vulnerability.
Now, we know that running an IT organization is not easy, and it is not easy to find time to deal with vulnerabilities. Nonetheless, if after a week only a quarter of all shops are secure from a specific vulnerability, and only a third are safe after two weeks, the likelihood is that your shop is one of those who has not acted in a timely manner.
If the vulnerability is one that affects, say, servers not directly under your immediate control, the only thing you can do is to try to change policy if it within your purview. On the other hand, many vulnerabilities affect individual computers, and your computer is, in fact, under your control. The bad news is that there is no reason for us to assume that you, as a senior manager, have the expertise to be maintaining your computer. We do assume, however, that you have the ability to have someone from IT set up a schedule to check for updates and patches and see that they are installed on your computer in a timely manner. This includes making sure that anti-virus software is current, that virus definitions are updated regularly, and that operating system and application patches are applied in a timely manner.
On our computer the anti-virus software updates itself as automatically, the operating system checks for updates periodically, BigFix notifies us of some patches and upgrades, and we run the windows update software at least weekly to check for anything not otherwise seen. Does this guarantee that we won’t have problems? Of course not, but it certainly minimizes our risk.