In-Depth

Security Managers Report Virus Problem Worse

New report charts security manager dissatisfaction

• By Mathew Schwartz
• 03/31/2004

According to the report, virus “disasters” increased by 15 percent last year, while virus disaster recovery costs increased by 23 percent.

The ICSA survey targeted the people most responsible for “computer virus protection” in their enterprise. Data came from 300 respondents, each has at their site at least 500 PCs, two LANs, and two remote connections. All told, the data spans almost a million desktops, servers, and perimeter gateways.

Network Associates, Microsoft, ESET, Trend Micro, and MIS Training Institute sponsored the report.

First, some nomenclature: a “virus disaster” refers to “25 or more PCs or servers infected at the same time with the same virus, or a virus incident causing significant damage or monetary loss to their organizations,” notes the report. In 2003, 92 respondents reported a virus disaster, up from 80 in 2002. Disaster recovery time also increased, from 23 to 24 person-hours.

The cost of recovery, however, increased sharply, from $81,000 in 2002 to almost $100,000 in 2003. Those amounts might be low, too, says ICSA. “Historically, we have found that numbers we obtain from the technical person responsible for viruses is underestimated by a factor of seven or eight when considering both direct and indirect costs.”

Practically all respondents—98 percent—says at least 90 percent of their machines run antivirus software, with 88 percent also employing "gateway filtering" (blocking, quarantining, or stripping) of e-mail and attached files. Of the respondents’ desktops, most used antivirus software from Symantec (43 percent), followed closely by Network Associates (40 percent), then Trend Micro (10 percent), and Computer Associates (5 percent).

Despite installed antivirus software, the virus problem is getting worse. While ICSA advocates continued use of antivirus software, it also recommends increased countermeasures, including virus scanning at e-mail gateways and using generic antivirus controls. (It’s been making that recommendation, in fact, since 1997.) Such controls include blocking certain types of file attachments outright, and configuring many applications—e-mail, Web servers, Office applications—to resist common types of attacks.

The controls are inexpensive to implement and rarely need updating, notes ICSA. Still, “only in the last two years have we seen significant increase in the use of perimeter anti-virus but corporations are still slow in adopting the generic protection.”

Here’s some incentive: According to ICSA and TruSecure 2003 research, even using a two-year old version of its recommendations would have blocked Blaster, MyDoom, Slammer, and SoBig. That’s inexpensive medicine for organizations getting slammed by viruses.