Fighting "Melissa," Others Costs Total $1 Billion

Patches are needed to guard against the increasing incursion of computer worms and viruses, two nasty forms of infection that can seriously disrupt normal operating procedures if they are allowed to get out of control.

Viruses are pieces of code, usually spread via e-mail attachments or files passed from one computer to another, which get loaded onto a computer without the user's knowledge. They can replicate themselves and in doing so quickly use up all a computer's available memory, bringing the system to a halt. Worms are special types of viruses that also copy themselves and use memory, but can't attach to other programs.

One of the most famous viruses is the Melissa, which began circulating by e-mail on March 26, 1999. When opened by an unsuspecting user, the virus executed a program that sent infected documents to the first 50 entries in the recipient's Microsoft Outlook address book. Companies that were caught unprepared by the onslaught had to shut down their e-mail services. The Financial Services Information Sharing and Analysis Center in Reston, Va., estimated that Melissa infected more than 300 organizations of all types, incurring a clean-up cost of $80 million.

The CERT Coordination Center, which tracks and responds to Internet security problems, has recorded an alarmingly fast growth rate of such incidents. The center, an arm of the Software Engineering Institute, which is operated by Carnegie Mellon University, says the number of virus attacks increased to 137,529 in 2003, up from 21,756 in 2000 and only six in 1988, the first year for which the statistics were recorded. Banks are far from immune. In Deloitte Touche Tohmatusu's 2004 security survey of the world's 100 largest global financial institutions, 83% of respondents said their systems had been compromised in the past year, more than double from the 2003 survey.

The damage caused by these attacks includes the cost of guarding against them. BITS estimated in February that applying software patches costs the banking industry about $110 million a year. When you add in monitoring security alerts, tracking vulnerable devices, upgrading systems and implementing other risk-mitigation tactics, the cost of addressing software security for the industry approaches $1 billion annually, according to BITS.

These cost pressures are starting to show up in information technology budgets. TowerGroup Inc. of Needham, Mass., estimated in February that U.S. banking companies spent nearly 4% of their technology budget on security in 2003, up from historic ranges of 1% to 2%.

— Chris Costanzo