By Terry Sweeney
With Mark A. McManus, vice president of technology and research for Computer Economics Inc., a consultancy in Aliso Viejo, Calif.
This interview originally appeared in the IT Business Edge weekly report on Fortifying Network Security. To see a complete listing of IT Business Edge weekly reports or sign up for this free technology intelligence agent, visit www.itbusinessedge.com.
Question: Your recent report on the economic impact of major virus attacks breaks down costs into multiple layers: labor for analyzing, repairing, and cleansing systems; procurement costs of software and hardware tools to assist IT; consulting or contracting expenses; and loss of revenue from Web-based services that aren't available. For enterprises that are trying to control spending, which one of those costs do you see growing most quickly? Why?
McManus: The loss or potential loss of revenue is growing most quickly. Tools to combat virus and other cyberattacks are getting more and more sophisticated, and the cost of applying patches or updates to new threats is less costly than it used to be. The labor cost (although still significant) is also decreasing as automation has sped up the cleansing and recovery process. Consulting costs will probably peak this year and likely begin to decrease as well, but will still remain a significant factor. However, the potential loss of revenue due to a denial of service attack or significant service slowdown will continue to grow as more business is conducted and dependent on Web services. Additionally, any lost data as a result of an attack also has the potential to drive up revenue losses significantly.
Question: Your research shows that 2000 was the high-water mark for global losses from viruses—$17.1 billion. It declined the next two years to $11.1 billion, only to jump to $13.5 billion in 2003. Given MyDoom, Netsky and Bagle variants, is it safe to assume 2004 losses will climb again?
McManus: Again, the potential risk is most serious from a loss of revenue or potential revenue perspective. There is a serious risk that a "super virus" could cause a prolonged DoS attack across many industries now dependent on the Web and other network-related services.
Question: What do you advise enterprise clients to do who want to contain their security-related costs?
McManus: Ensure you're adequately budgeting for IT security services including hardware, software, outside services and internal staff. In terms of outside services, don't cut corners—bring in highly skilled and reputable security consultants if you require outside help. In the long run, it will be less costly. There is information available from research companies to help benchmark whether your organization is adequately budgeting for security. Make sure you have effective security policies and procedures in place that are based on "best practices." Make everyone in the company READ the security policies and sign off that they have done so. And enforce the rules stringently and without bias. If you haven't already done so, appoint a senior security officer who is high enough in the organization to have clout, and make this the security officer's primary job, not an add-on responsibility. Develop an environment where security is part of everyone's job and responsibility.