Monday, June 12, 2006

Antivirus: Part 1, Meeting customer antivirus policy requirements

Do you ever consider what it takes to meet a customer’s antivirus policy statement before going on-site? You should… and with the number of VARs, network integrators, IT consultants, etc. that have to go on-site to customer locations – especially with large customers, you’d think there would be more conversations surrounding how to meet a customer’s antivirus policy when working at their location.

What do you mean?

Well, consider this. You work for a consulting shop… you have engineers of various types (programmers, netadmins, electrical engineers, etc.). These personnel work on projects for customers. In at least some cases, these personnel will need to go on-site to the customer’s location (either via VPN, or be physically on-site). And of course, they’ll need to bring their laptops with them and connect to the customer’s network. Maybe some customers have guest VLANs configured, but in some cases (and in my experience, most) customers will require that you be connected to a production LAN of some type – either to work on servers, databases, etc. How can you be sure that your employees have antivirus software that is fully up-to-date?

Now, simply telling employees – even very good and technical employees - to make certain their antivirus software is fully up-to-date probably isn’t enough. Maybe infection notifications – pop-ups, emails, etc. might be of some use. But this isn’t necessarily going to give your customer the protection you want to give them!

Considering Risk!

It’s important to consider the potential risks you expose a customer to when someone on your staff takes their laptop on-site. In fact, it’s probably even more important because the scale and scope of the risk is probably greater. For instance, what’s the worst case scenario on your internal network – a massive outbreak that results in downtime and extra work? That’s bad. But what’s the worst-case scenario for your customer – pretty much the same thing – except the customer can choose not to work with you in the future… so it’s not just downtime and soft numbers, but the potential for a material impact to your business.

So having fully patched operating systems and up-to-date antivirus software is even more important. In fact, it should be a given. But how do you validate this? Validation should be accomplished though a combination of good policies, procedures, and tools.

In follow-up posts, I’ll discuss what we're doing to better protect our customers.

No comments: