An InformationWeek article cites and discusses a recent research done by BIOS maker Phoenix Technologies saying that 8 out of every 10 computer attacks against businesses could be stopped if enterprises checked the identify of not only the user but the machine logging onto its network. The study, conducted for Phoenix by a California research firm, looked at data from cases prosecuted by federal authorities between 1999 and 2006 to reach its conclusion that attacks based on logging in with stolen or hijacked credentials cost businesses far more, on average, than the typical worm or virus assault. According to the research, when a privileged account is penetrated by an unauthorized user, the average damage is $1.5 million, while the average damage from a single virus attack is under $2,400.

The study and the conclusion are valuable in what they show - that enterprises should take extra measures not only to secure their infrastructure, but also to educate their users to protect their credentials better. But the research methods are inherently flawed.

First, the research was based on data obtained from prosecuted federal cases. Usually such cases are brought under the Computer Fraud and Abuse Act (CFAA, 18 U.S.C. 1030) which criminalizes unauthorized access to protected computer (quite broadly defined) and conduct varying from hacking to employees copying data before leaving the company. The problem with relying on such data is that the government, with its limited resources, can criminally prosecute only the cases with highest damages or with the biggest public outrage (which is ultimately related to damages.) Also, often unauthorized access cases relate to misappropriation of secret information, which value is usually very high.  Relying on such cases to show high damages is circular.

Second, the federal prosecutors very rarely prosecute authors of worms or viruses. Usually the authors cannot be caught, are in a foreign jurisdiction, or otherwise able to avoid section 1030 criminal prosecution. Also, over the past 6 or seven years (the date range used in the study) the worm or virus attacks have had a relatively minor damage factor - disabling computers, displaying foul messages, or formatting hard drives. For many enterprises, the damage is usually limited to the cost of lost productivity and restoring the computer (usually from a ghosted hard drive image).

The research, although based on a flawed method and data, nonetheless confirms an important aspect of enterprise information security - people are usually the weakest link.  Regardless of how good your firewall and network settings are, one employee’s weak or stolen password can provide an open highway to an attacker. To solve this, businesses should have strong password policies and, most importantly, educate their employees on how to safeguard their (and their employer’s) online identity.