Real criminals are now in control of security threats, and brand reputation and market share are at risk.The direct costs of malware were down in 2006, but hold off on cheering. The indirect costs loss of brand reputation, market share, and such likely are increasing as a result of the role criminal enterprises now play in all this.
Oh, and if that isnt cheery enough, direct costs things like labor to analyze and clean up infected systems, and loss of revenue due to loss of or degraded system performance also were up for the first six months of 2007.
This year is on track to surpass last years direct-cost damage estimates, according to Computer Economics, which has published its 2007 Malware Report: The Economic Impact of Viruses, Spyware, Adware, Botnets, and Other Malicious Code.
The report finds that for the second year in a row, malware cost damages declined worldwide. In 2006, direct damages fell to $13.3 billion, from $14.2 billion in 2005, and $17.5 billion in 2004. But with indirect costs predicted to be rising, the respondents to the survey say they consider that the malware threat has gotten worse over the past year.
The downward trend in direct costs last year has another dark side.
The direct costs are down because theyre not trying to wreak general havoc, says Mark McManus, VP, IT Research at Computer Economics.
Not only is malware these days directed at a more targeted set of organizations, but some companies may not even have recognized attacks were underway. Unlike the malware exploits of the past, when young hackers aims were to be publicly recognized for causing widespread disruptions, todays malware producers are typically criminal gangs engaged in stealing identities and money.
Now its more targeted attacks, and more covert attacks. You dont want it to be known youre in the system if your intent is to make money, says McManus.
And its getting more challenging for security vendors to keep up with the threats. The end of last year saw a rise in polymorphic malware attacks, which do very quick bursts of dozens of variants of the same virus in a short period of time, McManus says.
That makes it very difficult to put a signature on it, he says.
Anti-virus vendors are making strides by using heuristic techniques to try to determine what these variants have in common But its no easy task given what theyre up against. In the first half of this year as many as 1,000 variants of several different viruses hit within a week period, McManus says, carrying Trojans that unleash spyware, password sniffers, and other hazards.
Its hard to find much positive news in this, but one very thin silver lining is that the activity is getting more companies to report incidents and cost damages to law enforcement, as well as cooperate with other organizations to fight cybercrime. Unfortunately, there havent been any big breaks resulting from this yet.
To help combat the problem, McManus says businesses increasingly are turning to security managed services for network audits or management. Companies are getting better at keeping up with new releases of anti-virus software, but they also cant let down their guard on ensuring that employees are aware of the risks.
The training issue still has to be there, he says. You tend to get lax if you havent been hit over the head in two or three years.
Its obvious that malware authors arent giving up, he says and neither can you.