Although the "direct" costs of worldwide malware attacks have declined for three years in a row, "indirect" costs have continued to rise, a new report from market research firm Computer Economics indicates.
Last year's direct damage attributed to malware totaled £6.7 billion globally, down from £7.2 billion in 2005 and £8.9 billion in 2004, according to the report.
Mark McManus, Computer Economics' vice president of IT research, attributed the three-year decline to two factors: The widespread use of anti-malware technology and a shift in cyber criminals' focus from creating havoc to profiting from their work.
"Anti-malware technology is becoming more widely deployed and is fairly effective in defending against many types of malware threats," he said. "Virtually all business computers are protected by anti-virus systems, either at the desktop or firewall, or both."
In addition, malware authors are now motivated more by financial gain than disrupting systems, as they were in the past. Malware authors no longer release malware merely for electronic "vandalism," McManus said. "They design malicious code to quietly use infected machines to send spam, steal credit card numbers, perpetuate click-fraud, display advertisements, or provide a back door into the organisation's network."
That "implies" that indirect or secondary damages are likely increasing, according to McManus. A spyware attack that causes on a few thousand pounds in labour costs to clean up, for instance, could well allow an attacker to steal a password, then infiltrate a network and download critical inside information, which could lead to substantial secondary losses that "could be devastating."
Computer Economics didn't put a number on the indirect costs associated with fighting malware, however. One of the major challenges in quantifying the impact of malware is that only 28 per cent of organisations track both the frequency and economic impact of malware attacks, according to the report. "Almost two-thirds (63 per cent) track the number of events but do not account for the economic impact . . . [and] nearly one tenth do not track any information regarding malware attacks at all."
The hidden costs include what Computer Economics calls the "preventive" measures, such as deploying technology solutions such as antivirus hardware and software and managing the ongoing personnel costs for IT security staff, associated with protecting systems from malware. The company defines direct costs as those associated with labor to analyse, repair and cleanse infected systems, loss of user productivity, loss of revenue due to loss or degraded performance of system, and other expenses directly caused by a malware attack.
"Just because we saw another drop doesn't mean this will continue in 2007," McManus said. "Direct costs are on track to climb higher than in 2006 because of the large number of major malware attacks we saw in the first two quarters of this year."