Microsoft's UK security chief yesterday said the recent virus attack on its software could have cost businesses around the world billions of euro, but stressed that the multinational was taking real steps to improve security for its customers.
Mr Stuart Okin, chief security officer, Microsoft UK, told The Irish Times yesterday that the company had not yet calculated the cost of the security threat posed by the so-called Blaster worm to business.
"We will cost out the effects of Blaster, and our previous experience has been that the cost of attacks like this come to billions - not just in terms of the effect, but also in terms of lost opportunity costs," he said.
"For example, if you are a large bank in the process of rolling out a new system, and you have to divert resources from that to ensure that the security processes [to deal with the worm threat\] are in place, then that is a lost opportunity."
Mr Okin told The Irish Times yesterday that Microsoft had released 15 software "patches" to protect against threats like Blaster so far this year. He said this was comparable to 2002.
He argued that Microsoft, the world's biggest supplier of software, had successfully anticipated the threats to its systems that have emerged to date this year.
Mr Okin pointed out that the Blaster patch was issued to users three weeks before the worm was created but he acknowledged that all systems faced a constant threat of a successful attack.
Mr Okin said Microsoft was working to simplify the steps users needed to take to ensure maximum security on their systems. Currently, this is achieved through a combination of automatic updates and manually going to Microsoft's website to up-date some programs. He predicted that it would take a year to reduce this to one step.
At the software design level, he said Microsoft was teaching its developers to "design for security". This included examining potential new threats and including safeguards against them. Mr Okin said that the company was passing this knowledge on to the third-level colleges that trained software developers.
He added that the company was also taking steps to reduce the scope for attack on individual users. For example, older versions of its webserver product are switched on automatically when a user boots up, the new version is not.
"That reduces the available surface area for an attack," he said.
