The Code Red worm and its sequel Code Red II have been hitting the headlines for a fortnight, with hundreds of thousands of Web servers affected.

At the same time, the SirCam worm has been circulating as an attachment to e-mail with the catch-line "I send out this file in order to have your advice." Those who activate this worm by opening the attachment send it to contacts listed in address books and risk deletion of hard drives.

Early fears that the Code Red worms would cause the Internet to grind to a halt proved unfounded. However, these worms have caused losses estimated at more than US$2 billion, and have served as a warning on the vulnerability of businesses which trade over the Internet.

As with previous viruses and worms, the main cost to affected businesses is fixing machines and applying software patches. However, businesses also can suffer lost income as a result of operations being interrupted and incur substantial costs and liabilities arising out of customer-service difficulties.

Any business operating online runs the risk of being affected by worms, viruses and other forms of malicious code. However, there are a few simple steps to minimise these risks and cut potential-losses:

  • Put in place employee guidelines which deal with how email Viruses should be treated, such as a requirement it employees refer suspicious e-mail to the IT department before they are opened. If worms such as SirCam and the earlier I Love You worm are deleted rather than opened, all potential losses can avoided.
  • Outsource virus detection an expert service provider, her as a stand-alone arrangement or as part of a

broader outsourcing policy. As with the implementation of employee guidelines, the primary purpose of such an outsourcing arrangement is to minimise the risk of being selected by viruses in the first place. However, in some circumstances, it also may be possible to transfer the risk of loses caused by worms and uses to the service provider.

Review the standard terms and conditions under which the business operates. Any business involved in the supply of goods or services is likely to include in its standard contracts a force majeure clause which excuses it from performing its obligations to customers in a range of circumstances beyond control.

Depending on the nature of relationships with customers and suppliers, it may be appropriate extend this force majeure use so that it expressly includes business interruptions caused by worms, viruses and other malicious code.

Include a disclaimer on Web sites and all outgoing e-mail which seeks to exclude liability any worms, viruses and other malicious code which may be transmitted to visitors of the site recipients of e-mail. These are relatively straightforward steps to take and although they will not make a business immune from viruses, they can, if implemented properly, make the difference between reading the headlines the next Virus from the standpoint of an interested party or as a victim.

First published in South China Morning Post in August 2001.