If a flash drive infects a network, who's to blame?

With a London borough's council facing a £500,000 bill because a user crippled the network with an infected flash drive, I ask who is to blame: the user or the IT staff?
Written by Zack Whittaker, Contributor

Ealing Council, the local authority for a number of London boroughs, was infected by a virus which crippled the vast majority of the council's network.

The damage knocked out the housing department, the library service, telephone network and others, according to the BBC, as a result of plugging in an infected flash drive on a networked computer. But this raises a question of those who are still not yet fully IT literate.

If you plug in a flash memory drive and it infects a network, who is to blame - the user who doesn't know any better, or the IT staff responsible for the network?

Bruce Hughes from CNET seems to think it is those responsible for the network and the company. I'm inclined to agree.

In British (and I suspect in American) law, ignorance is not a defence. You cannot get away with ploughing someone in your car, reversing and going over them again because, "you didn't realise murder was a crime". If the judge said, "you'd forget your head if it wasn't screwed on, you little scamp. Go on, go free!", I would seriously wonder about the state of the justice system.

But in cases such as these, a legal aspect could easily be thrown into the equation. A bill reaching over £500,000 ($817k) needs to be pinned somewhere, and whether or not legal action could be taken is yet to be decided. At the end of the day, it will be the taxpayer who pays the brunt of the cost.

Even though the Conficker virus never "really" activated or caused damage per se, the proof of how powerful a virus can be in this day and age still exists. It infected as far wide as the French Navy, the German Bundeswehr, the UK Ministry of Defence, the UK Houses of Parliament and more universities than you could shake a stick at.

It is my professional opinion and belief that standard university network security is greater than the average security of businesses and corporate networks. As public machines on campus are all or often in buildings where the doors are opened with your university smart card, access is still limited to those within the establishment.

Not only that, in comparison to a local council or district governance, universities are themselves councils and governors of the campus. Students live and breathe on the campuses and the work that goes on within the network keeps the world ticking over - literally. For the fact they are all inter-connected in one way or another, in the UK at least, to limit spread of malware they have to be secure.

But ultimately it comes down to education, education and education: the do's and don'ts of computing security. You may not get booted out of university for accidentally offloading a payload of electronic sewage, but you can bet your arse in the real world - you could easily get fired.

So, if a user's flash drive infects a network, who is to blame?

Editorial standards