The damage that programmed threats do ranges from the merely annoying to the catastrophic - for example, the complete destruction of all data on a system by a low-level disk format. The damage may be caused by selective erasures of particular files, or minute data changes that swap random digits or zero out selected values. Many threats may seek specific targets - their authors may wish to damage a particular user's files, destroy a particular application, or completely initialize a certain database to hide evidence of some other activity.
Disclosure of information is another type of damage that may result from programmed threats. Rather than simply altering information on disk or in memory, a threat can make some information readable, send it out as mail, post it on a bulletin board, or print it on a printer. This information could include sensitive material, such as system passwords or employee data records, or something as damaging as trade secret software. Programmed threats may also allow unauthorized access to the system, and may result in installing unauthorized accounts, changing passwords, or circumventing normal controls. The type of damage done varies with the motives of the people who write the malicious code.
Malicious code can cause indirect damage, too. If your firm ships software that inadvertently contains a virus or logic bomb, there are several forms of potential damage to consider. Certainly, your corporate reputation will suffer. Your company could also be held accountable for customer losses as well; licenses and warranty disclaimers used with software might not protect against damage suits in such a situation.
You cannot know with certainty that any losses (of either kind - direct or indirect) will be covered by business insurance. If your company does not have a well-defined security policy and your employees fail to exercise precautions in the preparation and distribution of software, your insurance may not cover subsequent losses. Ask your insurance company about any restrictions on their coverage of such incidents.