Protect your company from deadly viruses

Security, trust and privacy go together. Without security, how can you trust the data? Without trust, how can you feel secure? And without privacy how can the user trust the system with personal data?

To achieve the appropriate balance between security, trust and privacy requires a combination of people and technology, and acorn companies have a major part to play.

They can provide innovative technologies, a task which may prove beyond larger vendors because such technologies could undermine their own business.

For example, email-delivered viruses can be a headache for users and organisations. Antivirus package vendors have created a multibillion-dollar worldwide industry by developing software to keep the viruses in check, or at least minimise the damage.

Yet a UK company claims it can stop all viruses dead. So how does Avecho do it? It will reveal no more than that its co-founder had the idea in the shower.

Avecho believes it has something of astonishing value which can stop viruses that would otherwise cause a lot of pain and money to put right.

But Avecho has decided not to confront the antivirus package vendors head on; instead it provides technology to potential rivals and others to enhance their products.

On another level, how can you ensure your employees know about, understand and are implementing policies?

If you are making security policies, or introducing guidelines regarding the handling of money, or implementing health and safety regulations, you need technology to support your efforts.

Extend provides this support with its PolicyMatter package. A major policy issue is the security of business information. The British Standards Institute (BSI) has devised a policy and standard for information security, BS 7799.

Paul Godden, co-founder of start-up Armana, has devoted his efforts to helping others implement BS 7799. He doesn't think the BSI does enough to sell its initiatives because it's a quasi-government organisation.

Companies such as Armana will be banging the drum to get the message across.

Case study: Extend
They are in their early 40s and no strangers to start-ups. They are building a gem of a company with two main products. And, yes, they admit that they are still making mistakes.

For example, instead of spending the cash on marketing, says chief executive David Guyatt, Extend's founders used about £25,000 of its £ 25m in funding to attend two exhibitions.

The company obtained some useful leads for its two products - BEAP and PolicyMaker - but admits the cash could have been better spent.

The very name, Extend, shows they have experience. They have been here before in the form of Integralis, a security integrator, and two of the three founders were with Content Technology.

Guyatt says he was unhappy with the direction of the new management at Content Technology and began to look for new opportunities.

This is the impetus behind Extend, which emerged from the takeover of Content, which Guyatt and chief technology officer Andy Harris, 42, had developed as a business.

They reconnected with the legal and financial talents of Martin Webster, 43, from the days of Integralis, and burned £50,000 a month of private funding to build a security software company by May 2003.

They have two arrows in their quiver: BEAP and PolicyMatter. BEAP is an easy way to manage the security of applications.

"There is no messing around," says Guyatt. People can download evaluation copies from the beapbeap.com site, which Extend says attracts thousands of hits a day and 250 unique visitors a day.

PolicyMatter is being piloted by several UK companies to create, disseminate and implement policies such as health and safety, financial regulation compliance, audit trail, or service delivery policies by local authorities.

PolicyMatter exists in the world of laws, cops and culture, says Guyatt.

Laws are the regulations and legislation, cops are the codes of practice, and culture is the social way in which the laws and cops are implemented.

All organisations have to comply with the world of laws, cops and cultures, especially in the increasingly regulated UK.

The company's problems is whether those who need this approach know about Extend and its products? Once it is able to talk at a high level to businesses, then the message is understood, and the value of the product appreciated, says Webster.

But it's a matter of gaining awareness for the value Extend's products can deliver to an organisation.

Extend's partners will be responsible for some of this awareness. It has a manufacturing agreement with Clearswift for the use of BEAP. It also has partners for PolicyMatter, including a South East Asian partner as well as Armana Security.

Through these partners and direct sales, Extend's average order is between £2,000 and £20,000.

But as more pieces of security technology are added to the jigsaw, it should be able to expand this to about £100,000, says Webster. Half of the 12 staff are developers, churning out the code.

The quietness of today's market means they have to get their heads down and fight for business, says Webster. Business does not come in the door any more.

Extend will keep a balance between its burn rate and the investments it has to make in people. By January 2004, or shortly after, it hopes to break even.

Case study: Armana
You can spend hundreds of thousands on security technology, but 90 per cent of systems breaches are caused by the human element.

Trouble remembering your password? Then write it on a sticky note and stick it on the screen case, leave it there over lunch and anybody could change the database with your authority.

You leave a company knowing they only kill old passwords every six months? You may have five months of access, which you can use, or sell.

You want to work on paper customer files at home. So you take them, and for the whole of that day nobody can find the file in the office.

Any of these sound familiar? Whatever the technology, you have to secure the individual before it will have an effect, says Paul Godden, founder of Armana.

The company is a partner to Extend; a user of its PolicyMatter product, which Godden uses to create, deploy and implement policies for customers. Godden also comes from the same stable as the Extend clan: Integralis.

He spent nine years there, with his final 24 months spent trying to implement the new security standard BS 7799.

"We turned over all sorts of stones. What was supposed to be a professional security company was not when handling customers' data," he recalls.

Integralis implemented BS 7799 and now has an enormous advantage over its competitors who do not have the standard. It taught Godden that the implementation of security was about more than technology.

"Talk about network security and customers think of modems. We think of policy," he says.

Hence Armana, a security company to help others implement 7799, and the use of PolicyMatter, to provide a technology tool for security policy creation and implementation.

Godden now has four employees, and burns about £5,000 a month in pursuit of a break-even point, which he expects in September.

There are fewer people really clued into security than he had thought. But he may get some support from central government.

"Government is getting very frustrated, especially with local authorities, some of which have no security policies at all. Yet they are managing databases on paedophiles," explains Godden.

Central government is not as rigorous in its implementation of security in this supply chain as it could be.

"A lot of government tenders say that compliance with BS 7799 is essential for those bidding. But government often says 'if you do not have it, never mind'," he says.

Few other companies are focusing on BS 7799, he says. They want to flog firewalls and other commodity products.

But security is about implementing policies, not buying technology.

Godden has products in mind which he wishes to develop. But he will only start to do so when he is generating cash from the consultancy business.

The next people he wants to start to employ are experts in BS 7799. By the end of 2003 Armana hopes to have 12 employees.

The problem is finding the right person in the organisation to talk to, who understands security issues. And finding the right person who still has some budget.

"They all have real pain in security - but nobody has the budget for it. A few years ago people would have bent budgets, but today people live and die by budgets."

Case study: Avecho
Here's a brash statement from a UK start-up only 15-months-old, with 14 people based in Colchester, which will not be in profit until the second quarter of 2004: Avecho's GlassWall software will provide 'absolute' protection from email viruses and hacking attempts.

But co-founder, chief executive and chief technology officer Nick Scales, co-founder and sales director Paul Ridge, and marketing director Chris Dye are not the latest version of snake-oil salesmen, the vendors of the perpetual motion machine. Avecho has patents for its core technology.

It does not tell people how the software works. And it wouldn't want to fight three years in a patent court at £1m a month to defend its intellectual property, says Scales.

It is careful not to divulge the inner working of GlassWall until it has firm non-disclosure agreements.

One outsider under contract to tell the world as little as possible about GlassWall is Adam Twiss, chief executive of Saviso Group, a Cambridge-based technology company.

"GlassWall has the potential to prevent any virus from being transmitted without the need for specific virus information or virus definition files," he writes in a recommendation letter.

If you plug the small footprint of GlassWall into your email system as data passes through, it will catch viruses without modification, updates, pattern recognition, and heuristics, explains Scales.

This technology is only available through an email service and manufacturing deals.

The email service is starting to provide the cash flow, which will ease the burden of the £70,000 a month burn rate.

The big gains will come when Avecho wins two or three major manufacturing sales from large software or service vendors satisfied that Avecho's claims are verifiable.

The government's Communications HQ is putting GlassWall through a formal testing process, says Scales.

All antivirus technology can eventually track a virus. But how fast?

Viruses have about an hour to do their damage. Research shows they do most of their damage in the first 16 minutes. It takes about an hour for traditional antivirus products and services to protect their clients.

"We will reduce that to zero," says Scales.

The downside, says Twiss, is that about one per cent of legitimate emails may be quarantined, held back rather than let through.

With such a strong claim you would have thought Avecho would directly attack the market of the antivirus product vendors. Think again. Scales is trying to position GlassWall as a core technology for those he could threaten with extinction.

"They are our customers. We will not take their revenue away from them," he states.

The more the virus writers attack, the stronger Avecho could get.