Subscribe
About

Cost of malware soars

Companies are increasingly concerned about the costs of virus attacks, with a recent study showing many have cause for alarm.
Jeremy Matthews
By Jeremy Matthews, Head of Panda Security's African operations.
Johannesburg, 07 Dec 2006

The most common requests from clients to vendors in the security industry are for figures relating to the number of virus attacks, what they would end up costing their company and the possible return on investment in security suites or devices.

Although this data is difficult to produce due to the dynamic nature of malware, a study was recently commissioned to extract some figures from companies all around the world.

According to the data gathered, the average annual cost of computer attacks on companies without adequate security devices has soared to R1 270 000. This represents the average cost for a company with 10 employees. This figure was calculated in terms of productivity loss, bandwidth consumption and time dedicated by IT staff to cleaning the network.

The study also showed that 5% of all traffic is infected by some type of malware. This includes identity theft, spyware and social engineering, which can result in direct financial losses through the revealing of personal information, theft or even industrial espionage. Malware also includes traditional viruses and rootkits, which can corrupt an entire system or network.

According to a study undertaken by Gartner earlier this year, the replacement or cleaning-up of data as well as the allocation of human resources results in costs which are up to five times higher than the initial investment in a security solution.

Taking control

Other insights gathered from the study indicate that monitoring of Internet usage is inefficient as over 40% of Web browsing in companies is non-work-related, including numerous downloads, limiting bandwidth usage for other workers and, in our particular South African context, diminishing the available ADSL cap. This non-work-related surfing includes visits to pornographic Web pages, which often conceal additional malware.

The negative impact of spam on companies' productivity is a proven fact, and the volume of daily unwanted mail is on the increase.

Jeremy Matthews, Dax Data founder

Although it is not directly considered malware, spam is another nuisance that will affect the company's bottom line. According to the same study, the average annual cost of spam in companies without adequate security devices has soared to over R505 000. Again, this is the average cost for a company with 10 employees.

At least 21% of e-mail reaching companies is spam. This increases costs, undermines user trust online, occupies valuable storage space on mail servers, reduces productivity and spreads viruses and malicious code. The annual productivity loss per employee, attributed to spam, is approximately equal to R50 000 with each individual receiving nearly 7 500 spam messages a year.

Similarly, a past study by Nucleus Research has shown that spam accounts for nearly five minutes of every hour spent online by employees and that the average company will lose one out of every 70 employees' productivity to spam.

The negative impact of spam on companies' productivity is a proven fact, and the volume of daily unwanted mail is on the increase. As is often the case, adopting preventative measures is actually more profitable; having to correct an undesirable situation may increase the risk of damaging the organisation's reputation.

Educating users

Although legal protection concerning these kinds of threats has made considerable progress over the past year, employers should always keep their employees well informed when it comes to prevention and regarding which actions to take when they receive spam.

Dealing with spam manually in companies and using no other method is not an option. The same can be said for leaving the task of deciding which protection policies to adopt in the hands of each user. Although all members of the company should be involved in the fight against spam, someone - the mail or network administrator - must coordinate these efforts. And this coordination task is much easier if administrators are equipped with tools that allow a range of different anti-spam protection to be installed, maintained and supervised without having to go from machine to machine to determine its level of protection.

However, a correct, remote administration of the anti-spam systems does not guarantee that the false positives are an exception. It is necessary to have anti-spam protection that is able to provide each layer of the network infrastructure with protection based on the latest detection and filtering techniques, while also allowing end-users to decide which mail could be spam, judging by their own scale of values.

So what should be done to keep companies and employees protected from this flood of malware? Up to date security suites with proactive technologies are a first step but most companies may want something simpler to install and manage. Network security devices, such as unified threat management appliances, offer excellent protection against both spam and malware, and ensure a rapid return on investment. They are also easy to install and monitor.

Don't put company information at risk and don't waste employees' productivity. Deal with malware and spam effectively before they have a negative effect on the bottom line.

Share