PREVENTING ATTACKS

Preventing Attacks



Preventing Attacks

Introduction

The latest scare to focus the attention of information technology and systems managers and experts, and computer specialists, was the Sobig.F computer virus that contained an alarm program that had been designed to cause havoc through activating and synchronising an attack on infected networks (Ungoed-Thomas, 2003, p. 19). This episode is yet another aspect of an established and growing culture of computer oriented crime that is aimed at causing as much disruption as possible to organizations and individuals. Computer-oriented crime covers a broad range of activities that include the work of computer hackers (some of whom have criminal intent) and those set to cause maximum disruption by producing and unleashing a computer virus. Indeed, according to Craig (2002) of Trend Micro, The Love Bug virus that was launched in May, 2000, was said to have caused US$8.75 billion worth of damage and a direct action worm which attacked web servers and infected 250,000 computers in nine hours caused an estimated US$2.4 billion worth of damage.

Preventing Attacks: A Discussion

Ungoed-Thomas (2003, p. 19) has put all this into perspective by indicating that Price Waterhouse Coopers have estimated that the total cost in terms of lost business and related costs vis-à-vis the work of computer hackers and virus authors is put at £1 trillion. This is an enormous amount of money. However, when viewed from an opportunity cost perspective, the figure cited seems to take on a far more serious meaning. It can also be argued, that in order for organizations to either make cost savings or provide higher returns to shareholders, senior managers are going to have to share more information relating to the work of hackers and virus producers with staff employed by other organizations. But this is easier said than done owing to the fact that managers are reluctant to share or divulge sensitive and in many cases confidential data and information. This is because unnecessary leaks can result in inappropriate publicity for the organization that has been targeted by hackers or organized criminal syndicates. As a result of negative publicity, business may be lost or various investors may consider further investment in the organization to be too risky and they look elsewhere. A targeted organization may also suffer in the sense that contracts with clients are cancelled and damaging rumours begin to spread throughout the industry.

Senior managers do need to be made fully aware of the costs involved, and as a consequence more needs to be done than just putting in place a risk assessment team that deals with clear-cut matters of uncertainty. For example, Craig (2002) has indicated that the other related costs associated with an attack on an organization (such as a clean up operation), can cost anything from £3,000 to £300,000 per virus infection. This is proof alone that small and medium-sized organizations are at risk, if senior management has not made security a core activity. By making security a core activity, the security function within the organization can be integrated into the ...