Print
Discuss
Send to friend
RSS feedsWhile computer security companies continue to fight and alert people to new viruses or their mutations, we continue to hide our heads in the sand. Seriously at risk are smaller organisations, which account for roughly 30 per cent of UK companies.
Larger companies are generally more aware as they have the staff and can spend time looking at the newsgroups and websites. This is not the case for smaller enterprises, according to Neil Downing from PSI Europe.
The chaos and confusion brought about by the latest wave of computer-borne viruses and worms shows just how vital it is for firms, especially SMEs, to ensure that their IT departments are fighting fit. But this extra pressure is being placed on already over-stretched corporate IT departments trying to patch and protect their systems.
Budget cutbacks in companies have not only led to reduced IT spend on infrastructure, but have left many IT departments pared to the bone in terms of manpower.
This cutback in manpower seriously hinders a company's ability to protect itself. Security patches may need to be applied manually to every desktop within an organisation and this can be a time consuming process.
Companies' IT security in general is at breaking point coping with spam and virus issues, but spend has been pushed back because, despite the warnings, companies never think they will get hit, explained Dan Scobie of Star Internet.
Another problem, according to Michael Lawrence of computer reseller Bentpenny, is that the gap between automatic virus updates leaves companies vulnerable.
"We will update antivirus software and put on the latest patches before a computer leaves us, but because there are so many new attacks the PC can be vulnerable within 24 hours," he told PCW.
"Automatic antivirus updates are released once a week, but if a new attack is found before the released update the systems have to be updated manually and many companies don't have the manpower or expertise [to do this].
"I had one managing director of a large company forcibly exercising his use of the English language [when] they were hit by the MSBlaster worm because the company's IT department's main priorities were to protect the servers and email functions before patching the numerous PCs they had in-house."
Lies, damn lies and statistics
The cost of these attacks to companies is difficult to pin down in quantifiable financial terms even though people try.
The latest assessment released by Computer Economics on the global damage caused by viruses in 2001 is an eye-watering £7.34bn. But the results of this and other studies have always caused controversy.
Computer Economics' figures of damage caused by viruses such as Code Red and its variants (around £1.45bn) and Sircam (£640,000) are dismissed by the antivirus industry as merely 'guesstimates'.
The argument against calculating the total cost is that they vary wildly. Companies are unwilling to own up to attacks and often have no idea of what damage has been done or what it will have cost them. Even Computer Economics admits that only about 20 per cent of computer security violations are reported.
There are also other non-quantifiable costs such as negative publicity, and a decline in stock value and customer confidence as the SQL Slammer worm demonstrated.
One large US banking company had to close about 13,000 cash machines, and a major international airline could not sell tickets over the internet because the worm made its computers fail.
There are also reports that US emergency service workers in Seattle could not answer emergency calls because the worm caused their computers to fail.
Although the clean-up cost and loss of revenue has been put at around £550,000, the most significant cost was the perception that affected companies' security procedures were inadequate.
August's Blaster.exe worm caused a similar public perception. A number of universities in the US are reported to have been badly affected and PCW has learned that at least one UK university was similarly hit, causing real problems for academics returning for the new year.
Consumers have also been badly hit. Often unaware of the latest problems, they also lack the expertise to fix the necessary vulnerabilities. This combination can be the weakest link in virus propagation.
Even buying a brand new PC can cause problems. One woman told PCW of her trials after buying a new PC that was preinstalled with software before the Blaster patch was released.
When she hooked up to the internet she was immediately infected. Cost of clean-up? £80. Damage to company public relations? Unquantifiable.
Paying to put it right
Just as the cost of damage is difficult to ascertain so too are the costs of maintaining secure infrastructures. According to the security industry there are so many parameters that can be covered.
A single licence for one security application can cost as little as £15 a year for a simple firewall, to upwards of £700 for auditing software, according to Geoff Davies of Qualys.
This means that protection for larger organisations running a series of comprehensive security solutions can run into thousands of pounds annually.
These are the companies that will be using automated security such as auditing procedures and intrusion detection systems on top of traditional security software, such as firewalls and antivirus solutions.
Michael Small, divisional vice president at Computer Associates, said: "The organisation should install and configure appropriate technology to guard against the risks of malicious code.
"This should start with ensuring that critical systems are correctly patched and configured to correct or avoid known vulnerabilities."
All the security companies we talked to, however, agree that there is no single solution. Because security is now so complex, covering many areas including gateways, networks and desktops, firms need to combine different kinds of security from more than one vendor.
Small added that malicious code has evolved to bypass protection points such as email servers and to propagate directly from computer to computer, and that too many companies take the cheap option and rely on antivirus software at the desktop.
This, in turn, can be hindered by some Microsoft patches failing to work as well as they should. But this doesn't mean that Microsoft isn't on the case.
The company told PCW: "Microsoft is working hard through the Protect your PC campaign, and other measures to be announced, to make existing security protections easier to use, including technical enhancements that focus on improving overall platform security.
"We are listening to our customers and, based on feedback, we are evaluating alternative patch management solutions that will assist both our consumers and business customers to manage the patch process more seamlessly.
"Currently, Microsoft is urging customers to protect their PCs by visiting www.microsoft.com/protect, and businesses to www.microsoft.com/security, where they can obtain the most recent security updates, patches and required information."
But this is a flawed solution since it may be difficult to ensure that all company PCs have up-to-date virus signature files and are configured according to policy.
It seems that companies are waking up to the fact that they need a variety of IT security solutions. Analyst IDC predicts that global spending on security and business continuity will grow at twice the rate of other IT categories reaching £64.5bn by 2007.
It is estimated that users will have to spend an average of £55 per desktop on specialist security software to protect their IT environments.
It is estimated that this increased IT security spend means corporations will devote roughly 10 per cent of their total IT budget to security in 2003, an eight per cent increase over 2002.
Companies can ensure that they don't spend unnecessary amounts, however. Before they begin buying security, companies need to ensure that they can understand, manage and enforce a security policy, according to Dan Hubbard of Websense, which runs software and services that enable businesses to monitor, report and manage how their employees use the internet.
Computer Associates' Small warned, however, that the "cost of managing the chosen solution can be a major ongoing cost and a solution that is easy to manage is paramount".
While security firms concentrate on corporations and organisations, consumers can be heavily hit. Software helplines typically cost around £1.50 per minute to use so it is not hard for someone to run up a £40-plus bill trying to find out what is wrong with their PC and how they can fix it.
Very often the advice offered is beyond the scope of many consumers who have to rely on technicians to fix their problem. With this costing from £80 to well over £200, the expense can escalate rapidly if a virus continually hits.
It is a sad fact of life that virus attacks are here to stay. Whether you are affected at home or in business there are costs to be borne; just how much has yet to be confirmed.
They are substantial, however, in terms of time and data lost, and they will continue to grow with the increasing and evolving threats. All we can do is take as many precautions as possible and, of course, watch the headlines for the next wave.
The good virus
The Welchi (or Nachi) worm appears to fit the old adage that the road to hell is paved with good intentions. Dubbed 'the good virus', its aim was not only to kill the Lovesan worm but to disinfect infected computers.
This worm was first discovered on 18 August 2003 and uses the same technique to infect PCs as Lovesan. Welchi also tries to infect web servers running Microsoft IIS 5.0, by exploiting a Webdav vulnerability found in March 2003.
Welchi is programmed to die on 1 January 2004 at which time it will uninstall and remove itself from infected systems.
Good news, you may think. But with the best intentions in the world, this benign worm generates a lot of network traffic causing problems for some routers and switches. It also downloads itself without the consent of the computer user.
Naturally antivirus and security companies are extremely concerned about this type of attack, however well meaning.
Pete Simpson, of security firm Clearswift, warned: "Researchers at Xerox pioneered the self-replicating program [now known as a virus] as a useful way to carry out housekeeping and clean-up tasks.
"In practice, they found undesirable side effects, such as multiplying out of control and escaping from the experimental networks.
"The 'good' virus is fine in principle, but unpredictable in its side effects and bandwidth consumption.
"Even worse, if well behaved 'good' viruses were employed routinely, even being polite enough to ask for permission to run, the bad guys would soon jump on the bandwagon and masquerade their wares as 'good' viruses.
"How do we prove a virus is 'good' before we consent to it executing on our system?"
The real impact of viruses: Part 1
See also:
Stronger corporate defences make poorly protected home users easier targets 24 Sep 2004
Hit by the world's worst virus? Scrub your PC clean with this free tool. 05 Sep 2003All Antivirus and Firewall Protection
del.icio.us
Digg this
reddit!
