Virus cost major IT users 122,000 per incident

The cost of computer viruses and worms could be significantly higher than previously assumed, according to new statistics released today by the UK’s leading representative body for major users of IT, The Corporate IT Forum - tif. Research amongst tif.’s 140 member organisations indicates that each incident is costing an average of 122,000 in man-hours and related costs. These figures are released in the context of steadily increasing incidence of viruses and worms being used to attack corporates and public sector organisations in the UK and around the world.


Prior research, published in 2002 by the DTI and PricewaterhouseCoopers, arrived at an average figure of 30,000 per incident. The FBI’s 2002 estimate was 207,000 ($0.3 million) per incident for virus/worm incidents in the US. According to David Roberts, tif. Chief Executive: Looking at the impact of the Welchia/Blaster viruses and worms that hit the UK in August, together with the US figures, we believe that the cost of viruses and worms is much greater than originally thought.

And our research is just the tip of the iceberg. tif. comprises organisations that spend millions every year on their IT infrastructure and who have already recognised that it is business critical. This inevitably means that the survey group have better than average security and incident response policies in place. Organisations with relatively poor protection will be being hit even harder as they will suffer more downtime and wider business disruption - as well as getting more viruses in the first place. Ultimately virtually every consumer and every shareholder is paying a price for inadequate protection.

tif. research showed that most large organisations are well or very well prepared for incidents. Those with good incident response policies spent less time and money tackling the incident. Only one organisation surveyed had been unable to tackle an incident quickly enough to prevent significant business outage costs, resulting in lost revenues of well over half a million pounds as well as fix costs.

Causes of incidents included contractors/business partners systems. David Roberts says: This emphasises the need for organisations to apply security policies to third parties accessing their networks, tif.’s Information Security Service will be publishing two management briefs on this area shortly. Furthermore these figures provide CIOs with the ammunition they need to justify further investment in security software.


tif. distributed its template for costing security incidents to its members in September 2003 to record the cost of Welchia/Blaster viruses and worms that hit in August. Three-quarters of Information Systems departments surveyed by the tif. Information Security Service incurred costs associated with effort, loss or both, with an average of 365 man-hours incurred. In just over a third (35%) of cases, the whole organisation was affected with an average of 3,080 man-hours incurred or lost.

According to tif. member Andrew Kirk, who is responsible for information security policy at Diageo: The results have enabled us to see how our costs compare to other companies. You can’t get this data from other sources because you don’t have the opportunity to analyse the results in detail, such as the cost per server and per user, allowing us to relate the figures to our own company size and sector. The tif. template provides us with a common basis for evaluating costs and to understand how they are actually reached, enabling us to make realistic judgements and predict likely investment needed.