Although the direct costs of worldwide malware attacks have declined for three years in a row, indirect costs have risen, according to a new report from market research firm Computer Economics.

Last year's direct damage attributed to malware totaled $13.3 billion globally, down from $14.2 billion in 2005 and $17.5 in 2004, according to the report, "The economic impact of viruses, spyware, adware, botnets and other malicious code."

Mark McManus, Computer Economics' vice president of IT research, attributed the three-year decline to two factors: The widespread use of anti-malware technology and a shift in cybercriminals' focus from creating havoc to profit.

"Anti-malware technology is becoming more widely deployed and is fairly effective in defending against many types of malware threats," he said. "Virtually all business computers are protected by anti-virus systems, either at the desktop or firewall, or both."

Attackers no longer release malware merely for electronic vandalism, McManus said.

"They design malicious code to quietly use infected machines to send spam, steal credit card numbers, perpetuate click-fraud, display advertisements or provide a back door into the organization's network," he said.

That implies that indirect or secondary damages are likely increasing, according to McManus. A spyware attack that causes on a few thousand dollars in labor costs to clean up, for instance, could well allow an attacker to steal a password, then infiltrate a network and download critical inside information, which could lead to substantial secondary losses that "could be devastating."

Computer Economics didn't put a number on the indirect costs associated with fighting malware. One of the major challenges in quantifying the impact of malware is that only 28 percent of organizations track both the frequency and economic impact of malware attacks, according to the report.

"Almost two thirds (63 percent) track the number of events but do not account for the economic impact…nearly one-tenth do not track any information regarding malware attacks at all."

The hidden costs include what Computer Economics calls the "preventive" measures – deploying technology solutions such as anti-virus hardware and software and managing the ongoing personnel costs for IT security staff – associated with protecting systems from malware.

Companies define direct costs as those associated with labor to analyze, repair and cleanse infected systems, loss of user productivity, loss of revenue due to loss or degraded performance of system and other expenses directly caused by a malware attack.

"Just because we saw another drop doesn't mean this will continue in 2007," McManus said. "Direct costs are on track to climb higher than in 2006 because of the large number of major malware attacks we saw in the first two quarters of this year."

Other findings from the report:

  • At the median, organizations experience five malware events per year, jumping to 10 events per year for organizations with more than 5,000 computers.
  • The most common source of a malware infection is email, followed by browsing malicious websites and infected PCs and laptops joining a corporate network.
  • Although destructive viruses have greater direct economic impact, survey respondents perceived spyware and hacker tools as the two most serious types of malware threats they face.
  • There was a clear consensus that the spyware threat level is increasing.

Get more IT security news. Click here for SC Magazine Blogs.