It’s often difficult to justify security measures because of the lack of realistic data regarding the cost of security incidents. After all, few organizations want to publicize their mistakes! But, from time-to-time, a snippet of information becomes available that enables us to show the true value of security programs to management.
According to Infosecurity magazine, in May of 2009 the computer systems of Ealing Council (in London) were attacked by a computer virus when an infected USB memory stick was plugged into a PC on the network.
According to the incident report from the council:
At the point the memory stick was plugged in the virus attacked the host PC. It blocked connections to anti-virus and Microsoft Support websites and attempted to establish connections with 500 internet sites chosen at random from a selection of 25,000 seeking instructions from its author, and sought to also contact other similarly infected PCs that it could find. It then started propagating itself across the Ealing network.
The bill for clearing up this mess … about £501,000 (about US$822,000 at today’s exchange rate) for emergency IT work and lost revenue (the library service reported it lost £25,000 because it couldn’t issue fines after the virus attack, and 1838 parking tickets had to be written-off, losing the council about £90,000). Based on the reported figures, that would imply that the emergency IT work cost the council about £386,000 (US$633,000).
OK – this is only one data point. But there are still some key things to take away.
- USB flash drives have become a key method for spreading viruses and malware. This should be a key message in your security awareness training.
- Virus scanning can’t just be limited to email attachments and files on PCs – it must include removeable storage such as USB drives and memory cards.
- Disabling USB ports on machines that don’t need them would be an excellent idea!