Losses From Viruses Reach 5-Year High Swell

This year's spate of successful virus and worm attacks likely will spur investment in security products and services. Companies such as Cisco Systems, Juniper Networks, McAfee, Sana Security, and TippingPoint, which sell host- and network-based intrusion-prevention systems, should profit as businesses seek technologies that do more than network firewalls and antivirus software, which just don't provide the level of protection most companies need (See "Get Your Shields Up!" Oct. 11, p. 48).

Although the costs associated with virus and worm attacks against business-technology systems have declined or stabilized for several years, they're now going up. If cost projections from research firm Computer Economics are on target, worldwide losses due to virus attacks this year will reach $17.5 billion. That's a big increase from $13 billion last year and tops the previous record-breaking year of 2000, which saw $17.1 billion in damages. That was largely attributable to the LoveBug attack, which struck in spring 2000.

None of the attacks in 2004 top the $8.8 billion LoveBug price tag. However, this year's series of attacks come at a time when companies admit that their antivirus defenses haven't been improved in the past year. Computer Economics' Impact of Malicious Code study, which surveyed 100 IT and security executives in midsize to large businesses, also found that less than half believe that their companies are better prepared to defend themselves against virus attacks.

The 2004 CSI/FBI Computer Crime and Security Survey also finds that preparedness is lacking. Only 45% of companies surveyed use intrusion-prevention systems. Instead, most use tools that work after attacks are already under way, such as intrusion-detection systems, firewalls, and antivirus software. The study also supports Computer Economics' finding that the cost of malicious code attacks spiked this year.

How does your company plan to protect itself from malicious code attacks? We'd like to hear about the strategies that you'll be using.

George V. Hulme,
Senior Editor, Security
[email protected]

Better Defenses?
Is your company better prepared to protect against malware attacks in 2004 than 2003?

Between February and May 2004, variants of MyDoom, Netsky, Bagle, and Sasser caused more than $11 billion in damages worldwide. However, of the 100 sites Computer Economics surveyed, a quarter report that they're no better prepared for attacks this year than last, while another quarter are less prepared, and 4% aren't sure. Forty-six percent report that they're better prepared.

August Experiences
What effect did the August 2003 worm attacks have on your network or computing infrastructure?

August 2003 was one of the worst months for worm attacks. How unprepared companies were for this series of high-profile assaults is alarming. Twenty-eight percent report that the attacks had a significant effect on computing operations, another 28% say the impact was noticeable, and only 29% of sites interviewed by Computer Economics report no impact compared with 15% that experienced minor issues.

Top Attacks
What was the financial impact of the major malware attacks in 2004?

None of the attacks this year top the dollar losses attributed to the LoveBug attack four years ago, according to Computer Economics. But the four largest attacks of the year have proven a wicked and costly combination. Damages worldwide attributed to MyDoom are estimated at $4.75 billion; Sasser, $3.5 billion; NetSky, $2.7 billion; and Bagle, $1.5 billion. Total combined losses are estimated at $12.45 billion.

Spending Reaction
Is your company acquiring new products or services as a result of recent malware attacks?

Companies are learning from their security shortcomings and taking steps to limit future losses and downtime. To beef up infrastructures against virus and worm attacks, businesses are acquiring additional hardware and software.

Some are even hiring security consultants to shore up IT and business operations. On average, Computer Economics estimates that 3.2% of business-technology budgets go to information security.