Why the Gozi virus should never have spread so far

People love to have a sense of closure, but don’t kid yourself: the FBI’s arrest this week of three men in connection with a computer virus called Gozi that stole money from thousands of people is by no means the end of this story.

The narrative arc of a computer virus incident has become so consistent it is almost predictable: early reports induce panicked headlines in the media, with scant details about the actual impact. Eventually, if someone is apprehended, the world moves on, even though the other big culprits never wind up in prison. I am referring, of course, to the people whose computers were affected by the virus. IT security breaches are the one time when it is almost always fair to put at least some of the blame on the victims themselves.

The Gozi virus is also known as a Trojan. It infiltrated businesses the way a certain legendary wooden horse rolled easily into Troy. The wooden horses, in this case, are the employees of businesses who click on suspicious links in an e-mail, or fail to recognize a phony banking website when they see one.

Jeffrey Posluns, a Montreal-based security consultant who also sits on the board of Governance Risk Compliance Security International (GRCSI), has seen it all before.

“It could be as simple as someone bringing in a USB stick with vacation pictures from their home computer,” he said. “It might be systems that haven’t been patched with the latest software update to defend against the virus. Ultimately there aren’t that many ways to break into a computer.”

Time to take IT security seriously

Those in the IT industry have been issuing dire warnings about the need for better enforcement of security policies in businesses for years, but that hasn’t stopped Gozi from affecting an estimated one million systems around the world, and stealing bank account information from scores of people. At a certain point you have to wonder what it will take for people to wake up and start treating their company’s data (and their own) with a little more care.

“I do think we may be getting a little bit better,” said George Odette, who founded the computer repair service Geeks on Site which assists both individuals and small businesses after a piece of malware hits. He cites his own mother, who was once clueless about IT security but now knows not everything she finds online is safe.

What may compound the problem is that so many businesses are now wrestling with how much freedom to give their employees around computer use. More of them are allowing the use of social media sites like Facebook during office hours, for example, or are creating policies that permit workers to bring in their own personal devices and connect them to the network.

The premise behind much of these new, more relaxed rules is that everyday people are more technology- savvy than ever before. The extent to which the likes of Gozi manage to inflict as much damage as the experts estimate may be the ultimate litmus test of whether companies are going to have to pull back on some IT privileges. It may take a considerable brilliance to develop a computer virus as sophisticated as Gozi, but spreading it depends on a great deal of carelessness and stupidity.