The high cost of flawed security

From the "rather them than us" category, it was revealed that a virus introduced to the corporate network via an employee's USB stick had cost UK local authority Ealing Council more than £500,000, including more than £200,000 in direct costs, including staff overtime, replacing broken PCs, and clearing the virus from other computers.

In addition to its IT expenditure, revenue was lost from parking tickets which could not be processed within the necessary timeframe, library fines had to be cancelled, and additional staff overtime has been scheduled to process the backlog of tasks which had accrued. It was noted that a number of online services were unavailable for a significant amount of time, indicating that the system had not been configured in such a way as to be resilient to unexpected outages.

The story highlights the damage that can be done by a relatively minor act from an individual, who it appears was not acting maliciously -- what can actually be termed "an accident". It is quite likely that many Ealing Council employees have done the same thing on multiple occasions with no negative effects, before the single event which led to a bill of more than £0.5m.

According to Computer Weekly, the authority has "introduced a new policy on removable devices such as USBs, which must now all be registered with the council and encrypted". Clearly this is too late: the threat posed by external memory devices is not newly identified, and Ealing should have had a policy in place already. If it did, it should have been enforced -- there is little point in having an IT policy if it is routinely ignored.

It was also noted that the authority is "looking at an upgrade to Windows XP", which would improve security at a cost of £500,000. The fact that Ealing is almost ten-years behind the curve notwithstanding, legacy technologies are still deployed and supported in many businesses, and the security weakness of these platforms remains a concern. Perhaps biting-the-bullet and spending £500,000 on the upgrade earlier would have saved the £500,000 cost of the recent problems, with Ealing's earlier prudence now representing something of a false economy.

Blogger Anonymous