As The Worm Turns: Disclosing A Hack

Skirmishes in the hills of southern Afghanistan grab today's headlines, but there are pitched battles occurring on other fronts that don't always make news. In the last two months, a bout of worm attacks have struck untold numbers of companies around the globe. In November, W32.BadTrans .B-mm swept through 50 countries, as did Nimda.E, the latest version of the Nimda worm. During the past couple of weeks, the Goner worm has successfully infected about 840,000 machines worldwide. Computer Economics estimates damages from this latest worm at $7.5 million.

Although concern about security continues to be significant, companies are reluctant to admit when security attacks and breaches affect their operations. Of the 4,500 security professionals who participated in InformationWeek Research's 2001 Global Information Security Survey, fielded by PricewaterhouseCoopers, 43% say their companies remain tight-lipped about security incidents.

A majority of sites instead prefer to keep business associates and response teams in the dark when security attacks occur. Only 12% of survey participants say suppliers and vendors are notified after a security episode; just 14% alert business partners. CERT and local or regional response teams are some of the organizations that companies are willing to debrief, but only a small number of businesses communicate with such groups once attacks takes place.

Customer notifications are rare. Customers simply aren't informed about security breaches or threats, report 85% of security professionals.

But this reluctance to fess up might change, especially as virus and worm attacks become more sophisticated. Take the Goner worm: It destroys files and firewalls, and it's designed to leave behind back-door access points for possible follow-up attacks. As company liability increases, businesses may be more willing to discuss security attacks.

How is your company going to change its approach to security threats and practices next year? Let us know at the address below.

Helen D'Antoni
Research Manager
[email protected]

Own the data behind InformationWeek Research. See our available reports at informationweek.com/reports.