Slashdot Mirror
What's The Actual Cost of A Virus?
ThosLives writes "CNN Money just posted a story that says the MyDoom virus may cost businesses $250M. My favorite quote is that for small to medium businesses with 400 or less employees, the estimate is between $48,000 and $58,000 cost to 'secure themselves' from the particular virus. Does anyone know where that number comes from? If one can charge a year's salary to fix one virus, I'm in the wrong job! Any input out there on the real, hard costs of things such as virus protection?"
Let's see...
The cost of securing your mail server from viruses includes...
The total cost of protecting a company from *all* viruses that go to their business accounts runs around $200 maximum.
Any moron who works at a company and opens said attachment should be fired anyway. So in the long run, the company actually *saves* money by all these worms going out.
So that must mean that SCO must be rewarding the MyDoom author for all the extra money they keep from firing morons at their company that open those attachments. Wait... that can't be right...
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Remember time is money
How much lost productivity from your staff?
Dealing with all the bounced messages and help desk queries take time away from productive work.
Another thing that's expensive and not to be forgotten is the bandwidth of sending all this crap spam. Why should the recipient of these messages bear the costs of the bandwidth essentially wasted because of these messages.
There's no place like localhost
This is one of those hand-waving statistics that is useful for showing the business leaders, but it's practically useless in day to day network protection.
These numbers used to be in the billions of dollars, but now they are more reasonable in the millions. If anything, it shows a trend in the perception of the value of data in a downwards direction. Everyone thinks data is some really important thing which should have a high value, but as more and more data is brought into the open (including, but not limited to, source code) the value of data drops.
I have been pwned because my
The truth of the matter is that it doesn't cost this much. People claimed that rtm's worm in 1988 cost $10 million due to losses in the stock market. But stocks come back up to what they were once people aren't scared anymore. Noone lost money (except rtm who lost $10k).
As has been said 100 times before, there are 3 types of lies: lies, damned lies, and statistics. This is just another case of statistics being used to lie.
Virus making is actually a good way to make profits. Hire one guy to write the virus, a few hundred thousand dollars spent on writing an antivirus program, and then sell millions of copies of said program at $50 apiece to people whose PCs were infected when they opened a program called Happy99.exe from Grandma.
The World is Yours.
I guess others might also wonder what it is about... "good or whack".
Trolling using another account since 2005.
The biggest cost of these sort of virus is time.
Time waiting for your 'net link to do what you've paid for it to do while your email server chokes on hundreds of incoming virus emails.
Time wasted by tech staff explaining to every user at least once to not click that file (or if the organisation has virus scanning) to ignore the ten dozen "virus has been nuked" warning emails.
Time wasted by staff who have to spend time ignoring this junk, replying to warnings about the thing from their naieve friends and family emailing then CNN URLs and saying, "is this for real?"
Time wasted making sure the company virus protection is up to date on laptop machines that get infected at home on 'raw' Internet connections then get plugged into the pristine corporate network in the morning. Time wasted fixing machine that weren't caught in time.
This sort of cost really adds up...
Its the bird flu virus
But also, I feel user education can help a lot. Companies need to start implementing some sort of formal e-mail and internet usage training when people join the company and a refresher every so often.
There's no place like localhost
Do your math: you say between $48K and $58K per small biz, so let's take a lowly $50K average. The sum is supposed to be $250M, which is only 5000 times those $50K.
are there only 5000 small businesses out there?
i think not.
So those $48K to $58K must certainly be understood as a "worst case" figure applying only to a fraction of businesses out there
Probably came from a 'Network Security Consultant', not a network engineer. The cost of course includes the hours billed by the consultant, who advises you on how to 'secure' your network.
Remember, a consultant is someone who'll steal your watch, then make you pay them to tell you the time.
"Nothing is so important that you cannot make fun of it." -Clarke
If you get infected you have the cost of fixing the computers, downtime and lost productivity, loss of earnings, etc. All of this can up to many thousands of dollars.
The company I work for has not become infected, the only cost of the virus is stupid bounce back messages and an hour of my time fine-tuning our mail server config. Due to this the virus has cost us something, but its hardly worth mentioning.
The cost of having a good anti-virus system is really easy to justify.
(\(\
(^.^)
(")")
*This is the cute bunny virus, please copy this into your sig so it can spread
If some company is stupid enough to pay $50,000 to rid themselves of a virus then they can just write that check to me and I'll gladly take care of it for them. :-)
Yesterday I spent at least a couple of hours clearing some spyware from a PC: it had completely infiltrated the registry, was replacing all attempts to reach other web sites via MSIE with its own page, killing Mozilla, killing the various anti-spyware programs... OK, killing various processes with names like 'sistem' and deleting a bunch of recently-installed DLLs helped me recover control.
But I pity the millions of people whos PCs are infested with dialers, trojans, browser-infecting gremlims. These are not technical 'viruses' because they don't propagate. But they are very serious time wasters,
Ceci n'est pas une signature
Securing your business against a virus: $58,000
Reading about it on my Mac: Priceless
Slashdot Eds Link Anonymous Posts With Logged Posts
They Are Vermin Feeding On Each Other's Feces.
I Hate \.
The cost isn't just the guy who "downloads the anti-virus-defs". The cost comes from machines not being usable for some time before the worm is under control, from people who have to sort through hundreds of junk bounces, from preemptively switching passwords on all infected and related systems. The sad thing is that it's hardly possible to prevent these costs. That would raise the value of the IT department close to the avoided costs. But how do you defend against users who activate worms while actively working around restrictions to see the attachment?
Why would it cost more? Are the chickens that they are slaughtering worth that much?
Seems like the stated cost for clearing a small business of the computer virus is more than a human life costs in most areas of the world.
Plus, I wonder if the computer virus can be listed as a tax write-off?
(only being partially smart-assed...)
--jeff++
ipv6 is my vpn
How much of that money goes towards antivirus companies' corporate (or otherwise big) virus killer licenses? How many companies will decide to buy additional services or software from the antivirus maker, like personal firewalls or spam filters?
Sure, IT companies in general might complain about huge losses, but for antivirus software makers the same losses might mean profits. Not 1:1 of course. If viruses wouldn't exist, those companies would be out of business (duh). And every virus that gets out in the wild serves as a nice reminder that "We fixed this one, but XYZ AntiVirus also offers you SPAM protection! Upgrade now! Exciting deals! LALA!"
that just goes to show - don't touch dead bird's in china...
I'm supprised that an Asian version of these viruses haven't made the rounds yet. I'm curious if businesses in S. Korea would be just as effected if this virus was socially written for that part of the world.
Life is not for the lazy.
If a company has to spend 58,000 dollars to protect themselves from a virus.
That's 58,000 dollars they should of spent a LONG time ago.
In computers, like everywhere else in life, a ounce of prevention is worth a pound of cure.
Someplaces it's costs 100's of thousands of dollars to recover from a virus.
However other places it doesn't cost anything.
Because they went thru the steps to protect themselves BEFORE it became a emergancy. It's the difference between spending money and hiring good admins vs being cheap and going out of business later because while your busy patching and crapping on yourselves because you've got owned while your competition is busy making money and taking over your markets.
Im sure this coward moron posted from windows :)
MyDoom virus - $250M
:)
400 or less employees - $58,000
DDOS SCO - priceless
There's some news money can't buy. For everything else, there's Slashdot.
- A couple of hundred dollars in extra traffic costs
- About a hundred dollars of my time plus about 20 minutes downtime for the financial controller as I learnt how to clean it off a PC -- the other two infections I removed with no downtime (the users weren't even at their PCs when I fixed it and didn't know they were infected until after it was fixed).
Total cost at this business probably didn't exceed A$400. We're "medium". 19 core staff, 80-odd contractors.It would have been less of my time if it didn't highlight that the anti-virus software on the mail server wasn't behaving properly and had expired (so you might want to add a licence renewal into the cost if you're into padding numbers).
I'd imagine the cost has to be comprised of a few factors.
1. How many man hours were spent to keep services available
2. Cost of actual flow of income if it was interupted (contacts, sales, etc)
3. Cost required to protect against next wave. This could be to hire another person on staff, additional software, contractors for a few days, etc.
There could be more, but those are the first that came to mind...
I talked to friends in a few different large companies. They weren't really affected last time I talked to them. They were able to put in place some spam/virus filters and on they went. So I don't know about this one the "true" impact because on that same note I noticed smtp mail bouncing all over the place wednesday afternoon.
I'm kinda' glad there's no formal process to rate the impact of the virus. We would start to see competitions to see who could make the new record for the most outages on the internet.
Cost is one thing, who is responsible for that cost is another. I was somewhat stunned to find that, on a windows system, just clicking an attachment pointed it directly off to the OS to handle, whether that be a pdf, a txt, or a .exe file. This was on Win2000, so I can't say for sure if newer versions do the same. I suspect they may, as one of the reasons given that MS isn't responsible for any virus spreading by a pro windows guy I know, was that:
.exe. I didn't see his comment as being worthy of defending Outlook, but rather indicting Windows in general.
"It doesn't matter which mail client you use, if you click the attachment to open it, it'll run and you're infected". I'd commented about OE's lack of security, which prompted his statement. Is this for real? I'd have expected ANY app that pulls in unrequested files, like a mail app with attachments, would do nothing more than save the file on a HD when clicked, and even then require you to specifically give it permissions to run if it was an
To me, the responsibility is on the software vendor that allows not just hiding of an executable app within an attachment, but also allows it to be run so simply and then also allows it to modify core parts of the system so simply. Combined with those three "features" I don't see there can be any lack of future viruses.
Our office mail server is a linux box. It's a nice little redhat, properly administered. Haven't had a bit of trouble. Major government contractor across town has NT all over, massive problems. Of course, our email server doesn't allow .exe, .scr, .vbs extensions for attachments at all. There's a few more that are disallowed. The server replaces those attachments with a .txt file which states that a file has been removed.
One good example is in the Bruce Sterling non-fiction book "The Hacker Crackdown" - which can also be read online. To sum up, the financial cost of get a paticular document taken from a mainframe was given as the total cost of the mainframe, a terminal and the salaries of a bunch of people going up the heirachy from the person who wrote the document, for far longer than that person actually spent working on that document (ie. paying for someone to write it at the rate of a few words a day, someone else to stand behind then and look over their shoulder for days, someone behind them etc). The defence proposed that the actual worth of the document was the few bucks plus postage that other people paid for it when they ordered it from the company over the phone.
Opportunity costs are difficult to calculate, one missed email and you could have been a contender - on the way to fame and fortune - but it's more likely that the email is just spam.
If by now you haven't gotten clued in and protected yourself against the wave of viruses that have eaten windows for lunch for the past 5 years then you as a business deserve to waste thousands of dollars on this one.
If you cant be bothered to hire ppl who have no sense then to open everything that comes to them without seeing what it is then you deserve to waste thousands of dollars on this.
If you cant be bothered to have someone on your staff who is qualified to run your network and not just the person who can setup the copier and the fax machine, well you deserve to waste thousands of dollars on this.
Does anyone know where that number comes from? If one can charge a year's salary to fix one virus, I'm in the wrong job! Any input out there on the real, hard costs of things such as virus protection?"
It isn't just one person working on the virus.
With really bad viruses it will take a week of work, if you are lucky and it doesn't spread too badly.
You probably have the entire server/desktop team working on the updated anti-virus software and how to deploy it.
You have the entire Tech Support team who actually go out to people's desks when they think they have the virus.
You have the entire helpdesk team swamped with calls, many of which are just asking questions about the virus, rather than even thinking they might have it.
You have the actual end-users who are getting paid to twittle their thumbs while they wait for tech support to check out their PC.
And you have all the managment in a huff and having lots of meetings to talk about the virus which they really don't understand while all the IT people do all the actual work.
Try to be more sensitive, those dollars add up!
Also, while they probably don't pay overtime, they probably count the cost as if they did.
Promote Sensitivity on Slashdot, make me your friend.
...are the perfect scapegoat to cover up that ounce of personal incompetence. Actually, it's much like this God theory, and they are perfect scapegoats because neither claim can be proven true or false.
the disclaimer at the bottom of the story....
see paragraph two.
Disclaimer
Stock recommendations and comments presented on CNNmoney.com are solely those of the analysts and experts quoted. They do not represent the opinions of CNNmoney on whether to buy, sell or hold shares of a particular stock.
Stories listed on CNN news are not necessarally related to the real world and on a slow news day may be completely fabricated. Hey this is only the internet.
Things such as repairing the machine after the virus is activated by dumb user
productivity lost by user, files lost etc.
severance pay for dumb user
hiring fees for the replacement (ad costs etc)
Of couse when the dumb user is also the boss/owner of the company it can cost a whole new computer just for starters (Dual G5 with everything) and a lot of time reshuffling computers to incorporate this one into the company plus new firewalls
Yep those viruses can be costly
Your'e all thinking it, I just said it for you
it seems like it would actually be LESS expensive for businesses to run Mac or Linux boxes than Windows. Or at least use a mix of OSes so not everything is vulnerable.
Perhaps that would be sound corporate IT strategy?
I don't understand the motivation behind the creation of this virus. This doesn't just affect SCO; it also affects the users this person is fighting for. Maybe SCO isn't doing the right thing, but taking down their website and infecting thousands of users with a virus probably isn't going to change their mind much.
I do wonder if the cost of replacing any remaining M$ servers with Linux or BSD would be many factors of ten lower than a year's worth of MSTDs. If you avoid getting hit even once, you probably earned your money back.
It's very simple: all the staff should be teached NOT to open email attachments containing the usual bad file-endings. That's one 5 to 10 minutes meeting.
On a funny side, awareness for viruses can be achieved by putting up posters like this:
Safer Surf.
is that for the download of a free email client, Mozilla, none of these fake losses would be incurred.
The articles about losses from email worms consistenlty fail to adress the problem of crap email clients (or more correctly, THE crap email client) that causes this problem. They also give the same two pieces of advice, "use anti-virus software and dont open attachments", conspicuosly leaving out the most important advice: change your email client.
Is it because they are embarrassed that they use this same client, and havent got the brains to switch to Mozilla? How can they give advice to people to change email clients when they cant do it themselvs?
ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
if 400 people wayst half a days worth of productivity watching the sysadmin clean up and get the network going it will amount to approximately one years salary.
But then again. That time usualy isnt entirely unproductive. Some people will get more "real" work done if the email is down. And most people will catch up during the rest of the day.
This is my sig, show me yours
Well, Mandrake Linux fits on three CDs, so I'd say the cost of securing a business against virus attacks is about 75p.
The reason why so many attacks are against Windows is that Windows is usable by complete morons -- and, as an inevitable result, you get complete morons using it. Yes, we all know GNU/Linux requires a little tech savvy. You don't get smart enough to use GNU/Linux without first learning that running just any old programme when you don't have the faintest idea what it does, is a bloody stupid thing to do. On the other hand, any living advertisement for the pro-choice movement can fire up Windows XP and get their computer riddled with malware in a twinkling. Why? Because Windows is too easy to use.
It's a perfect illustration of reverse evolution in action. You try to make something idiot-proof, then nature only goes and comes out with a dafter idiot.
You could never make a car that a five-year-old could drive safely -- and even if you could, it would necessarily lack so much functionality it would barely be usable. Really, there's no point trying -- it's better to issue full driving licences only to adults and only on completion of a test. And then we don't have to suffer the consequences of cars that would be driveable by five-year-olds.
The very fact that GNU/Linux naturally weeds out complete retards probably explains why there are not -- and will never be -- as many GNU/Linux exploits as there are Windows exploits.
Je fume. Tu fumes. Nous fûmes!
You know, I've always wondered if BSD-type "jails" could be implemented on windows in regards to email messages containing attachments, or if such a thing exists, why isn't it widespread to cut virus propagation?
Sort of like isolating Outlook, which runs attachements in a virtual server where viruses would be locked in a controlled environment and fail to spread outside of that system.
We took two hours out to deal with mydoom and issue an alert to our clients. Two people for two hours, 70.
I have *no idea* where these reports get their figures from. $48,000 (26,400) is equal to 867 man hours (at cost, 30 per hour). That's 108 days (presuming 8 hours a day)... talk about overkill.
Despite what Windows pundits would have you belive, Linux and Mac OS alike dont' get fewer virii because of lower market share (lower market share?!? I smell a pissing contest), but because they have no mechnasisms in place out of the box where a user can recieve e-mail with an executable file which can be activated with a single click. Not a double click, mind you; a single click and Outlook will launch a
If Microsoft was acutally serious about security, I would think this would be one of the first things changed. Honestly, does ANYONE besides the virus writers actually use this feature for something important?
CAn'T CompreHend SARcaSm?
Viruses attack Windows-based systems. Windows is expensive. Linux is free.
Switch to Linux, protect your company from viruses. And save money that would have gone to Microsoft.
To recap: it doesn't cost anything for a company to protect itself from viruses, but rather it saves them money to do so.
in bandwidth.
I've managed 3 seperate networks, small to medium thus far, over the past several years. Sobig? blaster? MyDoom ( clamav: worm.sco.a/b )? Klez? My networks have never been touched.
Yes, they are win32 based on the client, and linux based on the server. But, due to a strong policy and me doing my job, my networks remain virus free.
If any network gets bitten by this, the IT staff needs a serious looking at. An IT staffer who would let this happen to their network should be given the boot.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
I think those numbers must include the time spent reading about the virus on Slashdot, I think this is the 4th article in 2 or 3 days...
Several hours of someone's time to patch a few servers, read up on virus, inform boss/president/CIO/whatever... ~$250
Assume that a million businesses could be affected. (some won't be as are *nix exclusive, some may have lots of newbs open attachment. Bell curve works extreem examples out as even.)
Thus, $250 million
The cost of viruses and SPAM are very real and very high.
The cost is not in the cost of software, or the cost of equipment, or the time it takes to install [package name here] under [os name here].
The real cost is in lost productivity. It's getting better now, but I was spending up to 2 hours a day (I'm a self-employed software engineer & webmaster) on SPAM.
The knee-jerk response is, again, install [package name here] under [os name here], but when a single false positive is too high you have no choice but to turn your filters down and sift through it.
If your average email is from your friend Joe about the latest picture of [insert hot model name here], or which server to join to play [insert game name here], then if you miss one no big deal.
But when you are a business and a single missed email can potentially cost you $20,000 (I have had single emails that have resulted in contracts over that amount, and no reply would have resulted in no contract), then a single false positive is simply too high.
That is the cost, plain and simple.
Those numbers are stupid....
Protecting yourself from this virus is simple. Any 400ish employee companies that spend $50k to prevent infection need to SERIOUSLY have a deeper look into their IT department.
Blocking out this virus should take all of an hour at best, and the cost should be so small that it's not even worth guessing.
Possibly, if you calculated in the cost of _ALL_ hardware and software involved in blocking _this_ virus - then sure. Otherwise, any company should already have all those products needed to block this virus.
It took us less then 20 minutes to identify and block this virus at my company - we have 300 employees and the cost to implement a solution was null - merely 20 minutes value of my time on the clock.
To say the least, it was a non-event.
Companies and IT departments seem to over-inflate the cost of virii. Why they do this, I'm not sure.
Personally, I see it as the media making an attempt to glorify the situation - making it newsworthy and giving it the 'shock and awe' effect to the general public.
Any input out there on the real, hard costs of things such as virus protection?
$0.
1. The market is already flooded with anti-virus applications, many of which are free.
2. No business would invest into an application made by a freshman software company. They would choose experience and mindshare over empty, unsubstantiated promises.
3. It doesn't take few hundred thousand to write a decent AV application. You can create one on a shoestring budget and package it under $10,000 or less.
4. You're assuming none of the AV products would be able to provide a "fix" for said virus, which would create a market for this fresh application. In the AV world, there is no such thing as "exclusive fix" to a widespread problem.
I usually don't charge for my virus
Most chemists/pharmacies and even supermarkets these days will sell you protection from particularly nasty viruses. Cost is about a-dollar-a-pop, so to speak ;-)
Of course, at the rate these computer viruses are spreading, a-dollar-a-pop (ie per person per exposure) rapidly becomes a significant amount of cash.
Obviously a whole-lotta-poppin-goin-on.
Visit CryptoGnome in his home.
...business might be paying a similar amount to SCO to "licence" UNIX.
Does anyone know where that number comes from?
These number in the media always come from the "antivirus" vendors, they are often quoted by name (no free marketing can beat that!). They fluctuate this much becouse of diffrend vendors giving diffrend numbers. Antivirus vendors are always first to inform the media about the "facts" of viruses. All non-tech media take these numbers for granted. (They do sound impressive don`t they, that must mean its newsworthy? lets not bother double checking them) Most media ignore that antivirus vendors have a huge (No realy huge!) interst in keeping people "addicted" to their updates. Remember that if microsoft where to run outlook and internet explorer at low privileges and fix bufferoverflows in network parts once and for all, nai and ascociates would be out of business in a year.
Antivirus vendors vendors work by supplying software from the dos days when there was no os security at all. Back then virusscanners where a tool in the cleanup of the few known viruses that where in the wild. Nowadays when operating systems could easily sandbox most code and give it just the privileges it needs, viruses and even worms could be a thing of the past, but they are not. Instead milions of people depend on software recognising software as known malware, as identified by their "antivirus dealer". Meanwhile these vendors miss out on spyware and remote admin software becouse of legal reasons.
It's actually worse than that. Microsoft and Symantec are business partners. People will use Windows regardless, and if Windows remains vulnerable then people will use whatever AV comes with their PC - and that's very often Nortons.
Forget thrust, drag, lift and weight. Airplanes fly because of money.
Repeat after me: An Ounce of Prevention is Better Than a Pound of Cure
/.ers know exactly which particular multi-billion dollar american mega-corporation whose Supreme Ruler is about to be knighted I am referring to, without me having to mention them by name.
Ask not "how much does it *really* cost a business to prevent viruses?" but rather ask yourselves, "how much are business practices like first and foremost, more features; and if that compromises security, well what of it?"
And the obvious yet often unasked and when are we going to send that BILL (pardon the pun) right back where it belongs?
I'm sure that most
Visit CryptoGnome in his home.
As insecure as Microsoft Windows can be, it's easy to patch with the right tools. Get yourself a copy of LanGaurd. It pushes patches down to all 350 of our PCs (pcs are slow and network is slow), in about 1 night. Sometimes it's less. We also have automatic update run on the pc's individually at staggered times, and we push down anti-virus software through norton enterprise. It takes a few hours of work, and a one time expense of $1500 in software licenses, and we could secure about 2,000 pcs in a day easily.
Sorry for the self reply but after I posted it occured to me I should make a disclaimer:
IANAOU (I am not an Outlook User), obviously. Therefore I cannot vouch 100% for the single-click story, it is simply what i have been told by people who have used Outlook. I assume it's a default setting, taking into regards the level of setup the particular person's PC has undergone. Either way, it's obviously way to easy to toss viruses around a corporate network. YMMW.
CAn'T CompreHend SARcaSm?
I beleive there maybe some people profiting from viruses such as MyDoom, if you think about SCO's internet provider there would be a lot of internet traffic and the way internet traffic is charged is the upstream provider charges the downnstream provider, while the charge for the data is not much the large amounts of data SCO will be receiving should add up to the maximum amount, or do i have it wrong? If someone is loosing money, you normally have someone making money.
They're preying on stupidity. Soon they'll prey on fear.
I can see where it's heading. As an example:
I somehow think the worst is yet to come
From the article:
A Microsoft spokesman said Wednesday it is looking at offering a reward for information leading to the arrest of the creator of the MyDoom worm. He added the company has not paid out its $250,000 rewards for the SoBig or MSBlast viruses.
Now I'm all against virusses, DDoS attack, SPAM and other forms of internet polution. But how do they think arresting a virus creator is going to help controlling or defuse the virus? Obviously, this is more of the "set-an-example" strategy than the "contain-or-do-something-about-the-problem" strategy.
With a few thousand script-kiddies remaining, the bounty strategy is more likely to bankrupt companies/institutions/govenrments than make the internet a better, cleaner or safer place. Bounties are always a sign of desparateness, but in the context of virusses -- when you think about it -- it's just silly.
--
You cannot wash away blood with blood
Yep sure h5n1 is a great great worry. Enough to make you think all computer viruses are small stuff indeed. Especially, if h5n1 combines with human influenza, as some in the WHO are expecting (or so it is reported).
OK. Since your post was offtopic we might as well go way further off topic. Check out this excellent article on the Black Death and what it might have really been (hint: not spread by rats). Hmmm, yeah a global pandemic would certainly cost more.
Bitter and proud of it.
Quoting Twain is charming, but unless you have statistics to counter Gartner's, I would be prone to believe them.
The big costs are a sum of the following: - wasted work time due to reading panic articles - wasted work time because the IT department immediately shuts down all email communication; - wasted time because "my wife just lost all her files... must be a virus"; and finally - lost time trying to calculate jurnalist estimates = total waste of brainpower And... if you sum all that, the above-mentionned costs start looking like peanuts
http://www.automatiq.se
Wow, this topic really got me thinking. All that time I spend every day deleting spam, driking coffee, having toilet breaks. It all adds up. It's amazing I every get time do any work.
In fact, I've just figured out that if we can shut down slashdot - maybe feature it on a front page article and get it slashdotted - we could scape together enough coin to fulfill George Bush Juniors plan of putting a person on Mars.
Do the math:
800,000 Readers a day
30 Minutes a day to scan the front page and browse at level 5
$30 Per hour wage, these are _mostly_ employed geeks after all
$24,000,000,000 Annual lost time cost, assuming a 40 hour week, 50 weeks of the year.
Of course, my clients never get viruses because I keep them up to date with virus definitions and the like. :)
The notion that ordinary users should pay to have virus protection seems rather antiquated in this age of mass mailing worms etc that have more effect on businesses than homes.
I personally use a great freeware antivirus program from a German company called AntiVir (www.free-av.com), which gives it away for personal use but requires commercial use to have a licence (as a nice aside, it is WAY more efficient that the bloated Norton apps). This makes sense, as it's businesses that keep telling us they're losing millions of dollars when a virus hits them, whereas home users might be inconvenienced for a little while but not seriously affected in most instances.
How about having the government recommend some free antivirus programs, or even require companies to sponsor antivirus companies, since it's in their interests to do so?
Visceral Psyche Films
How much money would it cost, to install - say - Linux on all desktops, and never let any employees use Internet Explorer or Outlook ever again? I think in the long run it would be cheaper than getting hit by a virus every few months...
are there only 5000 small businesses out there?
i think not.
Maybe they mean there are only 5000 small businesses that would actually lose money over this.
Duh.
Download AVG anti virus
http://www.grisoft.com
Update
Schedule to update every night
You are now protected from viruses
Coat breakdown:
Anti virus - Free
Labour 20 minutes (subject to connection speed) - 15 (if you pay your employees more than 45 an hour for a job like that you are probably insane, PS I need a job)
The best weapon to avoid viruses and worms costs is prevention (no using Internet Explorer, Outlook Express, ... not using Windows at all :-).
You don't pay tax over loss in earnings. That should make many managers and accountants *VERY* happy. Now how come you *NEVER* find even a rough estimate of the cost of virusses and worm attacks on the financial balance presentations of *ANY* corporations.
I mean, $48000-58000 for each attack is a lot on the balance of a healthy 400 employee company ($3,000,000 revenue, $100,000 EBITA).
--
I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour -- F. H. Wales (1936)
Where oh where do they get these figures? At my company we have two lines of defense...One is TrendMicro for Exchange and the other is NAV Corporate Edition. Anything that doesn't get stopped at the SMTP server will get picked up by Norton. I figure the two of them combined cost somewhere around $1000-$1500 to cover all of our workstations. Besides that, the only cost the virus is incurring is my time looking over the logs, which basically have been saying the same thing over and over for the last three days. This is a far cry from the $48,000 - $58,000 they say it takes to secure yourself from one teeny little worm virus.
If the virus got in, the cost of fixing it would be based on the method of removal, how many computers got infected, and what the downtime costs our business. These are three variables that certainly can't be guessed. Something tells me they just pick out numbers that are big enough to impress the media and small enough to avoid losing whatever credibility they have left.
-R
I run a Zope / BSD Jail hosting company and so far being that we drop all executable attachments we have experienced 0.001 load increase due to this thing, even while hosting 1000+ domains which not being that large of number, still we have experienced a large number of viruses (virii) previous to blocking executables.
SCO is offering a reward for anyone who provides any leads that lead to the arrest of those behind mydoom. The SCO website seems inaccessible at the moment but if you swedish you may read about it at www.aftonbladet.se/vss/it/story/0,2789,426092,00.h tml
Comment removed based on user account deletion
At my company, the email gateway stopped all the email and quarantined it. Firstly because we ban certain filetypes (and it examines zip files) and .pif / .scr etc don't get through. Secondly when the anti-virus component was eventually updated it caught them all.
The cost to my company: 1 email to explain why the users were getting bounces for mail they didn't send.
Cheers
Methodically, these numbers should be added to Windows TCO.
There you are, staring at me again.
Very good example.
I work for a small computer service company in the .25-.75 hours per machine to disinfect .25 hour to load new AV software per machine, download updates for program and signatures, etc...
Detroit area. We get typically $149/hour for operating systems/software support. Given the case of a small company with 20 workstations and a server for their employees to use that has nothing in place for virus protection, and that most, if not all machines have become infected, figure this:
Figures to 21 hours max at $149/hour... $3129 in labor. Norton AV Corporate edition with 25 seat licensing (don't forget, that server is included as a seat, and you can only buy in 5, 10 and 25 seat increments) costs $869.00 per Symantec's website. With the 30% markup my employer would add and state sales tax added, that comes to software costs of $4326.48.
Figure in any additional labor to reinstall any software or operating system components that were damaged by the infection and you've got one whopper of a bill for a small business to drop because a multibillion-dollar corporation cannot spend the proper amount of money and time to thoroughly investigate and secure their operating system products. Then figure in the cost of annual subscription fees to download updates to the virus updates (I don't recall the actual figures for annual subscription fees, but my sister's company has three pc's in a peer-to-peer environment and each machine costs $20 annually for that subscription). Pretty hefty.
Considering that there's a lot of us in the IT sector out of work, Virii can be a godsend. Why? 'Cause, even if it's only for a week or so, we get called by the local contract companies to clean it up. I did a 2 week stint at Honeywell in Phoenix doing just that. I was unemployed when they got hit by whatever virus back in August and got the call to help with it's cleanup. This later turned into a longer contract to help out their PC Techs clean out their ticket backlog caused by the virus; some 2000 or so tickets generated and left untouched during the cleanup. We were out there for a total of 5 weeks.
Stuff like this, large comapnies needing to outsource virus cleanup, is also a major factor to be considered when looking at those numbers. Figuring that the contract companies got an average of $25/hr for each of us and multiply that by the initial order of just over 100 techs for the first 2 weeks of cleanup (Honeywell has numerous, large facilities around Phoenix), and you see just how much money these things can cost a company.
Fifty watts per channel, baby cakes.
I tought my grandmother to use a computer. She, like other old people, has some difficulty using it but opening e-mails is not a big deal. She just clicks on a message and reads it. She even learned to send messages herself and was very proud of this.
But this time she got in trouble. I don't know how - maybe antivirus software was disabled or something else but MyDoom infected her computer. Yes, it was Windows. I actually don't have much time to install software for my family members and just bought a second hand computer with Windows and everything and gave it to her to use. Now I think I will take some time to wipe it out and install Linux instead.
It is a psychology of inept users to click on things. It cannot be changed, at least not easily. There will always be some grandma or some office clerk who will click and execute attachment regardless how many warnings will be there. That is the biggest security problem with Windows systems - the files are always executable by default. It is different in Linux. To run the script it requires to set executable attribute first. Who needs to execute attached file anyway?
The security which does not take into account user psychology is worthless. I predict that there will be more viruses like MyDoom in the future as there were in the past. The whole Windows architecture is broken with regard to user interaction and it cannot be easily fixed.
--
I'm the sysadmin for a small ISP. Here's our rough figures:
New mail server, bought last February: $2500
FreeBSD 4.8: $0.
Qmail: $0.
Vpopmail: $0.
qmail-scanner: $0.
Spamassassin: $0.
F-prot antivirus for unix file servers: $400/year/server.
My time*: $3000.
Moving from sendmail to qmail and watching sendmail admins patching: priceless.
Moving from sendmail to qmail and watching server load averages go from 20 to 0.02: priceless.
Adding on spamassassin server wide and watching server load averages go from 0.02 to 3.0: well, it's still better than sendmail was.
Watching the server eat 30,000 viruses a day during the MyDoom attack after months of hard work: totally righteous.
There are some things money can't buy. For everything else, there's my Boss' Mastercard. Accepted in places where Open Source Software impresses geeks like me.
* I'd never before used any of the software listed above. It took a while to learn it all in between tech support calls.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
If SMEs have any idea on how to survive and cut costs IT wise, they'd just strip all exe, scr, bat, pif etc (for this matter of e-mail viruses) from all attachments. If a client wants to send a file, tell them to upload it somewhere, or give the client some access on their own servers or whatever. This estimate of 48k to 58k is just way to high. Where in the world did they come up with this anyway?
I don't know about the costs of preventing a virus attack, but I know pretty much about how much my boss has lost during 3 days where he couldn't use his computer... (it's around USD 1000).
First we didn't know what was happening: The computer kept sending packets which I discovered by accident. One day later we heard about MyDoom, again one day later we knew how to fix it.
And the worst thing is: We still don't know how it got in there...
It's difficuilt to say how much exactly does a business loose, how much they report lost to IRS(US Taxation). However a couple of "factoid" opinions can be formulated. A. Exposure/non-exposure is not guaranteed, sometimes even the best protected business will have virii/malware walked in via laptops and vpn's. B. The bigger the beuracracy the greater the cost, the less flexible the business and the more teirs in their chain of command the more stops on the way to a cure and the more junk left behind by people who are "willing to take the risk", "do not need to replace this in this fiscal quarter", "downsize systems administrators", "Microsoft and Cisco are the only way to go", "We're not supporting more than one operating system here!". C. Administrativa does not replace security. You can tell a user not to do something a thousand times just to see them do it again. This includes policies such as "do not bring your laptops/data/crap" from home and plug it in to the corporate LAN, "don't run AOL, etc...", do not install Corp VPN client on your home computer without a firewall. D. Antivirus software is most likely allready present in most corporate and home setups (unless in dark ages) and hence it's the failure of this technology that causes outbreaks. E. The larger the warehouse of administrative/clerical/non-technology workers using Windows(tm)/Office(tm) the greater the chance for an all-out systems down. Esp. if this cubicle field is adjescent to a Windows NT/2000(tm) server room with Microsoft Certified Systems Engineers (MCSE) running the show, shaparoned by a Microsoft Certified IT Manager (MCIM) who reports to a Microsoft Certified Cheif Information Officer (MCCIO)(tm). (but I digress) F. The less able the business to do business without computers the greater the cost. eg. All systems down in a Used Car lot means they cannot print contracts or run computer based credit/load check, however paper still works great. All systems down in a Webhosting company is an immediate loss, followed by a long-term customer loss which can reflect directly into dollars. That all being said, I think the numbers are BULL****! BULL****! BULL****! They are brought to you by the same people who slap those "Information Security Incidents may cost this business $10000000000000000 per incident" posters near the water cooler. Scary enough though people get convicted for crimes under the same "public scare" principle though.
Ok......WHOSE hardware is overpriced again?
The cost is not just money spent on Antiviral products. These are available for free but most companies would rather pay a little extra and get support for the product. All software causes problems of one kind or another, might as well pay upfront for the solution.
.exe messages will not help. Most workers will have no idea how there computer works. You might as well fire them for not being able to tune the breakroom TV. A better policy of blocking mail and scanning it would help. But that takes a skilled IT dept, who will be better payed at a larger company.
The extra costs come from lost time. Some that is very hard to measure. 400 person companies will not have a large helpdesk or IT staff. They are caught in a situation where a large staff is not needed normally, but the existing staff is too small to handle a big problem. So when a large problem does arrise the few staff are overworked and it takes a long time to fix, hence the lost money.
Large companies have large support staffs, smaller companies can be fixed relatively rapidly. Those caught in the middle get screwed.
Firing staff for opening
Money, like matter is not created or destroyed, only moved.
So, that $250million is a loss to some businesses. Loss in what? Staff time? Having to pay consultants to come in and fix the machines? Well, there's someone on an up - consultants being paid to fix things.
Don't forget that for those businesses that don't get the virus, there's a potential gain. If one of your competitors has the virus and say can't process orders, the order is likely to come to you.
For a 400 person or less company, the costs quoted are quite low. If you take the median, 200 people, and each loses a cumulative 1 day of work due to getting the virus, or just deleting the virus, plus any associated company meetings or training, etc. in dealing with the virus, that's 200 days lost or about 1 man-year. Right there, you have minimum $50,000 in productivity down the drain. This doesn't include software upgrades for anti-virus, mail scanning, etc. nor any repair time for infected computers that the IT staff has to deal with.
On the other hand, those figures should be the cost for the *first* virus epidemic in any company. After the first one, there's no excuse for not taking measures to protect the company from further viruses.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Consider: 400 workers all lose 1 day to the virus. 1 day out of 365 times 400 workers adds up to one worker-year of salary being blown.
However, this figure is exaggerated by at least a factor of two: not everyone spends a whole day working on recovering from a virus.
--N
Why does nobody ask how much money is earned with viruses ? McAfee, Symantec, ... they all make some nice Dollars with selling their AV products and services.
... it just changes its owner. If you spend a Dollar, someone has to earn it. Many small IT shops make a living with fixing "broken" PCs, and nothing "breaks" a PC better than a worm/virus ... Maybe I'm getting a little paranoid here but who knows who is writing these little buggers ...
BTW money is never lost
RedShirt
Microsft spel chekar vor sail, worgs grate !!!
Actually, it really *is* possible to get your costs down to an insignificant level in a small business.
.exe, .scr, .pif, and the like. No virus coming in, and it generally buys enough time until the anti-virus software can be updated. Cost? Free. Setup time? Less than half an hour, and lasts indefinitely.
.zip attachments, which can get past the email server filter, so it will be interesting to see what happens; but, I suspect not much.
Firstly, my email server bounces all emails with attachments like
Secondly, I have Symantec Antivirus Corporate Edition installed on a server and on all client workstations. It automatically downloads new updates every week. Ok, there was an initial cost to the program, I think $3,000; I haven't bought updates for a few years because it still works great. Why fix what ain't broke? There is the initial setup time, which is 5 minutes per machine, but once it's set up, I've never had to fiddle with it again. Cost plus my time? Realistically, it can be distributed over a three to four year time period, so maybe $600 a year?
This latest virus does do some
That would block this virus, but it also blocks legitimate executables sent by email. An acceptable way of doing this would be to put it in a ZIP.
A good scanner would actually scan the executable. Maybe it would also be a good idea to add a warning to the message body, something like:
"The attachment to this message contains an executable file. If you are not absolutely sure this message was intentionally sent by a trusted person, don't run it since it may be a virus!"
Amazing how some common sense practices that an admin performs can save so much time and effort. Everybody gets these worms and yet admins with common sense just see infection attempts on their gateway. Seriously, NAVCE is awesome. As long as the machine is joined to the domain you can remote install the client to 5000 machines in about two hours. That's pretty amazing. I here about all these viruses and worms and not a one of my networks is ever effected. Oh well, maybe one day more people will realize the right tool for the job and employ multiple types of servers instead of a single platform. Interoperability can be a problem but its far less than a single vulnerability effecting an entire organization. Course Interoperability is a snap if a company has enough money to afford some Netware licenses. Every OS can interface with! Makes interopating so damned easy I'm not sure why people fight with Samba after every release of Windows.
a more modern example would be the 'spanish flu'(or whatever you prefer to call the massive killer of ~1917-1918).
quick googlin turned this page up.
"The effect of the influenza epidemic was so severe that the average life span in the US was depressed by 10 years.", yet it only had a mortaliry rate of 2.5%(and sars had what? 0.25? it still would have been quite severe had it spread uncontrollably).
however as to what comes to the the bird influenza.. I wouldn't be that worried. sure it costs a lot to terminate them(chickens) but hey, at least it dies at ~70 degrees Celcius(as opposed to 'mad cow' for example). of course some wto officials prepare for the disaster that it would be if it started to move from people to people, but that's their job(doesn't mean that it will happen).
world was created 5 seconds before this post as it is.
I've looked into this, and it's always a projection based on a survey of businesses. They ask businesses how much it cost them. Doesn't sound reliable to me.
Your post really does outline the truth to that "MS FUD" that says the cost to retrain staff (especially the technical non-elite) to use new non-MS products makes free Linux not so cheap, thus buy MS.
And it does work, the company I work for almost exclusivly sell MS software (we arn't a software company though, it's just an added service) because if it's not simple to use, clients don't use it.
It cost $50000 pa to pay the funny looking, smart guy/girl, whose always smiling and talking to themselves, who "knows a bit about computer" to install (choose your distro of) Linux.
The figure they give is what it costs you if your IT department is totally
incompetent and allows the computers to get infected in the first place. An
ounce of prevention is worth a pound of cure. I have a checklist of things
I do to every new computer we get at my workplace. Not all of the things are
security-related (for example, I make sure all the corefonts are installed).
But some of them are. Among these, uninstalling or disabling Outlook is the
most important. Setting up the IP settings to go through the NAT gateway
instead of sitting directly on the internet also helps. Now, this *does*
take some time; by the time I do everything on the list it's 8 or 10 hours
I spend with each new PC, getting it set up before it's deployed. Most of
that is installing and configuring stuff, but probably 1-2 hours of it is
security related. By the time you figure in what I actually make plus the
various other costs of having an employee (retirement system and insurances
and whatnot) that's probably $50 or more per computer that we spend on
preventative maintenance, plus the overhead of maintaining the NAT gateway
(which is not that much) and maybe 15 minutes a day (average) that I spend
on the clock reading headlines on the web (e.g., on slashdot) to see if there
are any major new security issues I should be aware of.
I'm not sure exactly what all that adds up to, but it's a heck of a lot
less than $58,000 per virus that we don't catch.
Cut that out, or I will ship you to Norilsk in a box.
We have a very small business (7 employees) and our cost for a lost day of work is about $3,000. We did have one virus a few years back (the one time I let someone check email on a PC... now we're back to the rule "check email on your mac, since it's virus safe.")... and it got into our file server, and pretty much shut us down for a day while everyone tried to get ANYTHING done. I'm sure a 400 person company would lose a lot more money if a good percentage of their company spent the day not being able to work productively (not to mention all of the extra "water cooler" chatter that goes on when there's something breaking the routine of work.
I used to work at a company that does storage and fulfillment for Toyota Motor Manufacturing. They have a contract that says for every hour they can't deliver product, they owe Toyota $100,000. So if a virus were to knock them offline for a 5 hour period, they would lose $500,000 on fines alone.
Because, unless your ultra mega open source man, you'll probably want a Checkpoint on Nokia, or Cisco PIX, or Netscreen, or whatever the case may be. That will get your users to stop using Kazaa, etc al during the day (should also be desktop policy that they cannot install software and enforced through proper security settings), and in case they do get infected help prevent someone from connecting to the port it opens to listen to remote control/do whatever to the system.
- update-that-will-be-too-late
And with the way mass mailing worms are going about, you may want a URI... something like websense or another to block all the third party email sites, so people aren't infecting themselves despite all your efforts to protect YOUR mail servers.
After that you are probably going to want to talk to F-Prot, NAI, or Symantec about a site license for VirusScan, integrated mail scanner (yes yes you can use postfix, spamassassin, amavis, and whichever virusscan you prefer for a lot less) and hopefully implement something like e-Policy Orchestrator (NAI product) so that you can send a wakeup call to the desktops telling them to update the new DAT's you just downloaded on the server, instead of waiting for the next whatever-random-day-you-chose-to-have-the-machine
You'll also maybe want something like a SUS server, or SMS, or whatever you plan to get updates to your Windows PC's with. SUS is free, but as with each you'll probably want another piece of hardware and a good ole' Windows license.
Sooo.... ya, you are talking multiple thousands of dollars for each item; $10,000+ alone for just the firewall; it adds up quickly. And lets not forget salaries. And yes if this were the ONLY virus you were trying to stop I'd believe those numbers. But there are lots of things you need to defend from, and so the cost is kind of dispersed amongst them.
....ever wondered ... how many (clueless)people you don't know have you in their address book? well now with new improved Mydoom you never have to worry again ... just check your emails for the results of this wonderful net tool ( shortly to become an integal part of longhorn by Microsoft)
Price to stop MYDOOM from spredaing? Hello!!!!! MCFLY!!!!!!!!!! It DDoS's SCO. I've infected all my systems, and even have it running on my Linux PC with WINE in gleeful anticipation of the vengeance that will be brought upon SCO this February 1st.
$50,000 might be the cost of the disaster recovery + lost opportunity. It's probably NOT the cost of adequate prevention. It depends on what they mean by 'securing' -- once you're already compromised, it's going to be much more expensive as compared with the cost of being protected already.
You see? You see? Your stupid minds! Stupid! Stupid!
#!/bin/sh
cat $MAIL|grep ^From:|while read address
do
mail -s 'Run for free pr0n!' `cut -d: -f2 $address` < $0
done
ping -f riaa.com
Seems IE will execute things with non executable extentions, if the latest bug report on IE is telling the truth. If so, you have no promises, no guarantees that Outlook or Outlook Express won't have a similar weakness. Either you need to certify the program 100% for all "safe" attachment types, block all attachments, or insist on alternate programs for e-mail or for the operating system itself.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
In the near future Govt. and corporate death squads will emerge to track down perpetrators of virus and spam. The only question is when, who and how much publicity will surround this inevitable response. Our society can measure its progress on this slippery slope by the degree to which preemptive strikes are legitimized as an ethical basis for fighting the asymmetric warfare of "terrorism."
...that all those companies which do studies of the TCO of Windows vs. other operating systems will remember to add these costs into their studies, and republish their results.
In other words, they "can't live without" the scheduling, etc. that Outlook and Exchange provides.
Mozilla Mail doesn't provide the scheduling- and even if it did, it's not integrated into the framework like Outlook's is. Same goes for Pegasus Mail, Eudora, and any of the other programs out there.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
THE SKY IS FALLING THE SKY IS FALLING!
True cost of viruses? Probably less than estimated by the many hysterical "Chicken Littles" on this thread.
Start with people's resources OTHER than PC support:
- My staff levels are appropriate to serve my customers, allow for growth, and enable vacation, training, and new systems development. (We are a 20+ year old accounting software company, the ratio of technical staff to client end users at about 1:10.)
- A certain amount of time will never be directly productive. If someone is robbed of 30 minutes recovering from a virus (if you don't have a disk imaging program, you should), there is just less time to read Slashdot, type this note, read the news etc. We have our goals and adjust our workload accordingly. True cost to the business here? $0.00.
Ok, so a mythical "average" user spends about an hour a month NOT working on something they should have due to virus/spam/spyware, or due to maintaining their PC to prevent such incidents. I'll give you 12 hours per year at a fully loaded $50 per hour or $600 per year per PC user.
- We spend about $100 per year per PC for licenses for anti-virus, anti-spam, anti-spyware, etc. Divide that by the number of viruses and other annoyances this covers, the cost PER INCIDENT (remember the thread topic was cost for treating a single virus) is pretty minimal.
- I guess if you add the burden of this topic on our PC support staff and then divide those hours into the total worked per year, it represents about 100 hours per year per support person divided into the number of PCs supported, amounting about 2 hours per year per PC. Double that number to account for hours walking around and making sure everyone has their protective software installed and up-to-date. Evan at a loaded (with benefits and overhead) outsource cost of $50 per hour, the cost PER INCIDENT is pretty minimal.
Taking daily medication for diabetes, arthritis, etc., is just a "cost-of-living" expense for most people. In the same way, dealing with computer viruses are just a (very) minor expense for most well-run companies. I don't doubt some companies spend too much, but in the long run, the capitalism's "invisible hand" of "creative destruction."
Total labor and software expenditures (software, support labor, user labor) on viruses/spam/spyware per PC (mostly support)?: Probably $400 in real (hard) software and support costs and $600 in maximum theoretical "productivity loss" With an environment where the workers are respected, well supported, and motivated, the "productivity loss" will probably fall to $100.
Assuming you have spent the right amount of money to INCREASE productivity by providing employees with training, technology, better systems, respect, and reasonable workloads, true virus costs "fade into the background" of general business expenses.
Of course that doesn't make for such a snazzy headline.
Live Long and Prosper - Thanks Leonard. You are missed.
But what about the counseling for the stressed email queues you insensitive clod!
I'd say from reading through this thread that actual costs vary from compnay to company depending on how ready they are to handle something like this. As far as the CNN story goes tho - it's in everyone's best interest to run up the impact that this sort of thing has on a company because it makes your bottom line look better at the end of the quarter. " Sorry profits were down this quarter but that virus really hit us hard." or "Our crack management team kept profits the same inspite of that dreadful worm that crippled the company for weeks on end! Just imaging what we would have been able to do if it hadn't hit us!" And of course the IT guys all play along because it means an increase in their budget for next year. Sooooo WIN WIN!
It doesnt cost my company anything, we run all linux firewalls, a snort box, and most important, what few windows machines we do have noone is allowed to use Outlook or OE. they use thunderbird.
We have seen that living things are too improbable and too beautifully "designed" to have come into existence by chance.
We are a large company, and similar incidents have run in the $20-$30k range. It could be much higher - we are fairly mature when it comes to protecting ourselves. Much of the problem comes from people bringing virus/worms in from home, consultants, and systems that we do not manage directly.
If you cut a finger off everytime a user clicks on an attachment, pretty soon it's going to be hard for them to click with their nose. Later, when you see them and feel like laughing, just say "Hey, I bet you'd like to open that attachement huh?" and run away.
Think about it. The manager goes up to the employee and asks how many hours it took to fix the problem. If the employee gives a bigger number, it will look better when determining how much work was done that week, since the hours spent "working" on the virus are subtracted out. Of course the manager is collecting the information to give to his manager, and it's a good excuse for why his project is a day or two behind. Finally, the grand totals are reported to the public by those who are in the security business. It's in their best interest to inflate the numbers so the public will buy their goods and services. None of these people are necessarily lying, just picking the most conservative numbers available to them.
I know that, in my case, the only "cost" was the four or five seconds it took to delete a few emails which had an excised attachment replaced by a note saying, "This was a virus, so we removed it." The cost wasn't nearly as high as that second cup of morning coffee and it's associated extra trip to the restroom.
===== Murphy's Law is recursive. =====
Every time I read an article on how much a virus has cost the corps it always seems to be a large amount of money yet they never explain why it cost that much.
True to my cynical nature I believe it's all hype.
shades of WMD's
"If any question why we died, Tell them because our fathers lied."
It's not the cost to a single person. It's an estimate of lost data, downtime, research, repair time, etc. avaraged across all companies. Some companies who have an infrastructure prepared for patching all clients and updating mail AV apps will have a $500 which is just the labor of their opps team for testing and pushing the appropriate updates. Some companies that have no ops team and no anti-virus and who use files that a given virus wipes out will lose whatever their business is worth. It doesn't mean it's not partly their fault but the virus does cost the unprepared more and that drives the average up. It costs the prepared less and that drives the average down. Hence the purpose of the average.
The only thing statistics do is lie, when the details of how the study was done is not disclosed fully for everyone to see. For those who think .NET is easier to develop, I have to say for simple stuff it's true. For complex application I can say from first hand experience it takes twice as long and isn't nearly as mature as open source java solutions. This isn't BS, it's 14 months of re-inventing everything available in java, but in a hack-ish way. We've had to practically override all the stock webservice junk and write custom stuff because the schema driver blows, automatic WSDL blows, having everything load in GAC blows, not using AppDomains for each webservice blows and just about anything that is remotely dynamic or has to be flexible enough to support a service oriented way of running applications.
C# language itself is nice, but I am so annoyed with C# shorthands. It just leads to code that has no documentation or fore thought about how an application will have to be extended in the next release. I would be much happier, if Microsoft really stood behind good development practices and discouraged shorthand syntax. And when I say comments I don't mean stupid stuff, "/// this returns an integer". I'm talking about having well defined interfaces and having the implementing class explain the reason for the particular variation in implementation. This way, when the business requirements change, the next programmer who comes to add functionality will have a summary of the limitations and why it was implemented that way. I don't think that is too much to ask. I've haven't had a programmer come to and say, "the code is documented too well." But I've had plenty of people ask "can you clarify the explanation a bit more and how the Use case requires that specific implementation?"
</ rant >
Particurly nasty virus going around a few years ago. I was a net admin in a /very/ big company. I was NOT allowed to bring my systems to a secure level - I had to wait for corp to review each and every patch for interoperability in what was a fairly complex environment. Keep in mind how seriously curtailed I was from doing my job.
/really/ wanted me comply, they didn't press the point.
Nimda hit. I had three primary facilities (one of which was big enough that other similiar facilities had two dedicated IT people) that I took care of myself. My nearest help was 150 miles away and she was an old timer who fell into her job, and was by no means qualified of her own accord. Realisticly my nearest help was over 500 miles away. In other words, I was alone. I had to hit every computer, plus servers in each facility - each about 20 miles from the other.
The result of this virus was that until systems could be patched, they had to be shut down. This resulted in many facilities effecticely or outright having to shut down for a minimum of two days, with limited productivity for a few days after that. This easily cost tens of thousands for the smaller facilities for a single day to millions for some of the giant multi-thousand employee facilities. This does not sit well with management. Also keep in mind that when employees get sent home in most manufacturing facilities they don't get paid.
We almost had the entire network cleansed of the virus when a facility manager in another state allowed a single computer to get back on the network despite being told not to do so by IT. Within minutes computers powered on anywhere in the entire 6 continent network started to be reinfected - were talking a network big enough to run out of SID's for workstations and users. Management made the decision to send us back around to clean and patch everything all over again. Evidently not everything had been patched correctly by some admins. I was almost done. I had to start over.
His facility was shut down by an VP that personly made sure that security understood that "no one but IT enters" really did mean "no one but IT enters". I don't know but I guess that the offending personel were fired on the spot. I understand the entire offending facility wasn't allowed back online until everything else on the network was patched. Large facility, several thousand employees and it was closed for a week.
At the point of starting over I had been working for over 24 straight hours with no break. I went home just long enough to take a shower and eat. I was back at work within 2 hours. All told I worked somewhere around 40 straight hours with long days following this. I had supervisors letting me know that their rules prohibited anyone from working more than 12 hours for safety reasons. I asked if they
All told to say that this single virus cost the company in the realm of $100 million is quite reasonable. Now the question is, if the admins in the field had been allowed to apply security patches as they came out, and practice other good security measures that we wanted, what would it have cost? Most of the policies prohibiting admins from implementing security, antivirus and patching practices were changed after Nimda, but it took a $100 million dollar "I told you so" to make it happen.
Incompetence of outsourcing, this is story of the nightmare of outsourcing. Watching your multibillion dollar company brought to it's knees for two straight days, with only limited productivity for a work week, because your admins were hamstrung by beauracry. How much of the damage was the virus, how much was the manager that didn't listen to IT, and how much was the contract house that REFUSED to let the admins do their job? That's a question for suits, not me. I'm afraid I cant name the company for a very real fear of a lawsuit that I can't afford, but if your in IT, you've heard of them.
Nice advert for your services, you forgot the URL ;)
I work in a 100% NT4 desktop corp environment (our admins, our equipment) and we have around 40,000 users on various domains. We use Exchange and Outlook. Wanna know how many of these "deadly" worms we've had infect our systems in the last 3 years I've been working there? None
There's nothing inherently deadly about MS stuff in a corp environment as long as your admins and engineers are worth the money they're paid. Frankly I welcome hearing how much cash companies are supposedly losing with this - let it be a kick up the backside. :)
--------------
Well your company has some high quality employees who are able to keep the system free and clear of viruses. That is basically gaurd duty - gaurd duty costs money. Money for the anti-virus software (both on workstations and servers) which costs tens of thousands. Cost of the network admins installing/maintaining these programs. Cost of network admins monitoring the emails for false virus captures, and then having to release the email back to the person. The list goes on.
So even if your company has never been infected by a virus, it does cost money to protect against these viruses. In a "nice" world where people did not create viruses a company would not have to supply all of these products/services, and that would save a company a lot of money!
-A
I mod down so you can mod up. Your welcome.
I've heard a (rumor?) posted over at Full-disclosure that mydoom actually writes to the Bios and several other things that no one else has discovered. Is this verified by anyone else?
You can read the message here.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
basically these estimates come from companies that sell antivirus software and security services, and probably this time from M$ and SCO who want the linux folks to look bad. Take those estimates and divide by 100 and subtract another 100 from that to get that actual figure:
realEstimate = estimate/100 - 100;
So Long and Thanks for all the Fish.
Since this has to deal with business terminology, I don't expect the typical /.er to really get it, as we all hate all business (even though we all want to own one and give away the software, right? :)
Anyway, when you have an email virus, effort must go into securing workstations, people have to scan emails more carefully, updates may be required, blah blah. Nobody is actually PAID $50,000 to do all this stuff, but the company's productivity falls when there's a virus. This means people whose salaries don't change get less work done, and it has a measurable financial impact.
"DO NOT OPEN FILE IF EXE OR SCR!"
That should be "EXE, SCR, BAT or PIF" if I recall. If you really want to be paranoid, add "APP"-- but only if you have a Mac user.
It would also might be a better contingency plan to get that quote custom printed on the Post-it note pads, and then require that these be used inside the company instead of any other post-it; the $50K quote could probably help justify the custom post-its and the policy to the CEO. Purchasing always has stupid requirements to make life difficult for IT, why not have them make a stupid requirement that might make life easier for IT.
//Information does not want to be free; it wants to breed.
I run an almost identical setup to yours: Inflex is running on my mail gateway (sendmail) and calls BitDefenderAV to scan every message. Total cost of Sendmail, Inflex, and the Linux version of Bitdefender: $0.
I also run Syamntec corporate on my windows servers and desktops, and the initial cost was a few thousand. We also pay about $20 a seat yearly for updates (which, btw, you should be doing too--the product comes with a year of virus updates--after that, you need another license if you want to continue to receive them. Just because LiveUpdate lets you download the virus defs doesn't mean that you're in the clear legally speaking.)
What part of "shall not be infringed" is so hard to understand?
The first virus attack my old company weathered was reason enough for me to convince the CEO to convert to Macs for all the sales people. Picture an entire morning of the sales force sitting around on their asses while said viruses are fixed and that's more than enough convincing for the boss.
Its not just one year for patching against one virus. Its the level of security and maintenance of the whole network that can resist such viruses. That means take some of the 'other' load off the IT guy, and get one who is skilled and dedicated enough to keep all important software patched, be able to provide 24/7 support and be able to block certain ports and types of traffic on quick notice. That usually means hire one IT coop student and offload the mediocre tasks to him while you focus more on the network design, security and spend time using the tools to keep a close eye.
Doing all that effectively would probably cost the employer about that much. Of course 80% of security is designing the system well and sticking to procedures like making sure antivirus software is updated. THAT doesnt cost the employer a thing.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
I've always wondered where they come up w/ these numbers. It seems most any virus or worm costs businesses billions of dollars. I think it's similar to the way that the music and software industry calculates losses due to piracy. If someone downloads a program that they wouldn't have bought anyway then the software industry can say they lost the MSRP of that item. I wonder if with virus if they have figured out a certain cost per cpu cycle of their system and then figure out how many times the virus is found and then mulitply figure out the total cpu cycles used times cost per cycle. Now there is the scenario where your network gets ravaged by the virus but that doesn't happen too often in my experience. At work we have 6 computers hooked up to the net and the bossman doesnt' recall any infections. I guess it helps that we're all computer types. Maybe there are people dumb enough to open up "make_your_penis_longer.exe" I don't know. Perhaps they should start issuing licenses to access the net.
Actually, here in Brasil, the actual cost of an employee is something from 300% to 320% of his salary. Mandatory retirement funds and other employment taxes are more than 100% the employee's salary value. Office space plus phone bills, water, and electricity are in the same range.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Well, there's the cost of overtime for non-salaried computer monkeys that go from node to node patching and cleaning. There's the cost of downtime for the users who can't do anything because they're computer's hosed. There's the cost of replacing another system admin who's gone bonkers trying unf**k the Exchange server. You have to hire a new system admin but your budget is too small to hire someone with experience and to listen to his/her recommendations for replacing your aging beige equipment on the desktop and the rack. So, you hire a green and eager fresh MIS graduate from the local community college because he never thought he'd ever make over $25K so $33 is a fortune. So that costs you an extra $8K because you made the offer too soon in the interview.
Let's see...you review your EULA with Microsoft and you realize that you're stuck for another bundle of cash for the patches & service of your friggin' NT 4 server/workstations you still have to upgrade. Meanwhile, 3 of your 4 part time computer monkeys just got jobs down the street working for a Linux-based ISP. The fourth commits suicide after fighting with a blue screen of death caused by the dated version of McAfee you forgot to upgrade.
I'd say the costs are rising. he he he
I might know what I'm talkin' about, but then again, this is Slashdot...
The is the cost of having people on your team making sure that the protection policies and software are up to date. If there were no theats companies would have this people doing something more productive.
For the companies that are vulnerable and get infected the costs are even greater, because once the virus is inside the company you will have most of your IT people cleaning the mess. Remove the virus machine by machine, you will have non IT people stoped, not working, because their PC is not OK.
And from my experience people don't pay attention to the warning e-mails or post-it notes telling them not to open suspicious files.
So we take the gradual approach. Every time they get burned, they are usually willing to give up one Microsoft poison. For instance, their mail is filtered to remove any of a list of banned Microsoft extensions and mime-types that OutHouse likes to execute. However, they insist that they have to have various types of executables, such as .DOC files, for "business reasons". Each time they get hit, they are willing to ban another executable type - and install equivalent open source applications to handle that function without executing the MS code it contains.
Incremental progress.
Recently, we have been banning .ZIP. Outhouse and friends had to work pretty hard to make this otherwise useful archive format automatically executable. Sigh. With all their talk about "security", there is no backing off from automatic execution at M$, and no mention of a decent sandbox to make automatic execution reasonably safe.
...you insensitive clod!!!
All's true that is mistrusted
not nearly as much as the cost of time
wasted by countless slashdotters
reading and discussing ABOUT the virus!
Our mailserver catches all but the newest ones floating around out there. But our mailboxes are still getting filled with dozens if not hundreds of messages from other companies servers saying "Your sending our users viruses!".
Since the servers invariably aren't verifying the authenticity of addresses that have been spoofed, they're sending out useless messages by the thousands. What an annoying "feature".
I work for a small company (10) and we have a mish-mash of norton installed on most of the PC's. We have a few idiots who disable or uninstall it & others don't pay attention & miss when the update subscription runs out. Can anyone point me to reviews or other info about enterprise antivirus sw? I'm looking for something that can be administered & licenced centrally. Thanks!
Thank you, all you virus and spam filters on the Internet that so very kindly send an informative message about "You sent a virus" or some such message back to the envelope sender. How thoughtful.
NOT!
My machine is NOT infected, does NOT send spam, and my own virus/spam filter blocks all that junk from getting in. So what clutters up my box now?
TONS and TONS of "You sent us a virus" or "Your attachment was deleted" or "Your computer is infected" style messages from other filters, whose operators/admins think that sending such responses is good.
CLUE TIME: It's a BAD, BAD, BAD idea to enable/configure/turn-on autoresponses when you filter out or detect a virus/trojan/worm/spam. Stop it. Your systems are causing a huge problem too.
So... Please, TURN AUTO-RESPONSES OFF! Most filters can be configured that way. 99% of the time, your auto-response will go to an innocent third-party victim, NOT to the actual sender whose machine is infected with the virus.
Oh i have a product spec for this one.
.docs memos and post them to newsgroups
1. search/find all the
2. copy all their 'juicy' confidential emails and post em to newgroups
3. Email all confidential emails to competitors
This would really screw them up, hurry up russians, a new MyDoom each week.
NOTE re 40k, thats the salary of the CEO taking 2hrs extra at lunch on his 2.8million salary.
Liberty freedom are no1, not dicks in suits.
If everyone would just switch to OS X, Linux, and *BSD, viruses like this woulnd't be an issue.
Maybe it's time to introduce a "networthiness" test for computers, like the roadworthiness test for cars -- so machines that persistently send out nuisance material could be ordered off the net until they were fixed. But I'd be the first to admit that such a scheme, if it was implemented badly, would make things many times worse as opposed to better.
Not a "networthiness" test just for computers, but for users also. Computers once used to be the realm of only highly trained professionals... computer scientists, etc. Once we let them fall into the hands of the laypersons, everything went to hell in a handbasket. Computers have proven to not be trustworthy in the hands of unskilled, uncertified individuals. Look at it this way, would you like to see aircraft owned and piloted by anybody who feels like it with no oversight whatsoever? Maintained by whoever feels like it, with no oversight whatsoever? That would be fucking INSANE!. Large chunks of metal would be raining down on our heads, crashing thru our roofs, small airplane crashes and deaths would be as commonplace as automobile crashes and deaths. The fact is, aircraft maintenance and piloting are not fit for the layperson... it takes seriously dedicated, trained, and certified people to make flying safe, with the most intrusive oversight by one of the most obtuse bureacracies known in all our government. I ought to know, I am a pilot and own my own aircraft. I am also a highly trained (Master Degree in Comp Sci), qualified, and certified (state certified public engineer) professional computer scientist. I think it's time to take the computer back away from the lay consumer and put control of it back into only the hands of the skilled professionals where it won't be so easily used to cause harm. Only make certified computer-like dedicated appliances available to the general public, with tight security controls upon those machines. True, computers don't kill like aircraft can, but they are right now being misused to cause great financial harm. The "barnstorming" days of the computer need to be over with NOW. Just like back in the golden age days of the birth of aviation, when any yay-hoo with the money and the balls to climb inside a primitive aircraft could do so and fly with impunity at his will, the government finally stepped in and placed one of the heaviest regulatory environments upon the world of aviation that stands today. The same needs to be done to computers too.
it only cost them a dollar. I log into the email server. I check that the virus definitions are up to date. I leave. Took only a few minutes.
Why such a low cost? Because they let me build the Email server the way I wanted to. THE RIGHT WAY!
-Foxxz
Who comes up with these numbers? Obviously somebody severely misinformed or dishonest. Who would benefit?
The truth is, it's practically free to secure against any new virus. Once your system is reasonably secure you'll only incur maintenance costs, almost never incident costs.
I installed an email attachment virus scanner last year along with an auto-updater script. I haven't received one malicious attachment since. Gee, wish I could charge $50,000 each time a worm comes out too ;-)
Damn... I AM in the wrong job. *sigh*
Except for those wonderful folks who access their personal email from work, and download the 'funny.exe' attachment that came from their relation of choice, and thereby infect the entire network with the network aware virus that your norton won't cover til tomorrow.
Yes, thats the smell of elitism!
I believe that the estimated cost caused by viruses is determined by loss of productivity, cost of cleanup, and the cost of precautionary measures that have been taken protect against such a virus, like stricter security settings, employee education, and the cost of antivirus software and monitoring tools.
Where I work, the primary cost of viruses is having to accept the slowdowns caused by anti-virus software.
Some employees open every attachment they recieve with complete trust in the random stranger who sent it to them, regardless of the fact the company's security policy strongly discourages it. So just in case, Symantec Antivirus Corporate Edition is running on every computer. We also patch frequently.
I work at an ISP in Maine and nearly everything I've done this morning has been related to helping people clean up MyDoom infections so we can unfilter their PCs. Our e-mail server admin has better things to do than cut people's access and clean SMTP queues when he sees MyDoom floating around. It's wasted time that amounts to the high costs! You're not really getting much of anything done that could advance your business when you're dealing with worms all the time.
Well, even the news (http://www.nu.nl [dutch]) picks up rumours.
:-(
Some representative suspects the MyDoom-# virusses originate from the linux community
Many motherboards now have a dual BIOS, however this is switched in the BIOS at boot time, as is the protection, which must be assumed to be useless, as it is software controlled.
The hardware protection is total, with no write signal (or no programming voltage if that is what is switched) to the chip, it can't be written.
We should start a campaign to bring back the jumpers as standard!
I wonder if this cost is included in the estimates when M$ claim that running Linux is 11-22% more expensive than running Windows?
> Then I started noticing how irritating it was when people
> who were specialized in other fields - e.g. medicine, car
> mechanics - did the same thing to me.
Even as a non-specialist, it is assumed and expected that I will know and apply the basics of both of said fields, with at least a minimum of competentcy.
I don't, for example, need a mechanic to tell me that I have to put gas in my car to make it run. Nor do I require his aid to check and change my oil, change a tire, and so on. As the owner of a car, it is assumed that I have at least these minimum skills.
I don't run to my doctor for every little sniffle; 95% of the time, I just drink a shot of NyQuill, go to bed early, and sleep off whatever ails me. Nor do I need him to bandage every little cut and bruise for me. And if I happen across someone who needs it, *I*, a non-doctor, am certified to administer CPR. Hell, I could probably even dredge up enough recall from my first-aid merit badge to splint a broken bone or treat someone for shock!
In neither of these examples is the knowledge I mentioned the exclusive territory of specialistd. They are just the very basic competentcies that it is assumed that as functioning and responsible car owners, or functioning and responsible humen beings, we will all know.
But it seems to be a very frusterating and to-oft recurring feature of the computer/IT industry thar lusers will remain willfully ignorant of even the very basics of how to operate and maintain that expensive and complicated technology that they rely upon; sometimes as much or more than their car. And I don't think it's unreasonable at all to be frusterated when they continue to be so willfully ignorant.
cya,
john
Imagine all the people...
For you?! A steal! Just log on and it will be downloaded!
MSIE or MS Outlook needed . . . who am I kidding? Any MS product will work.
I don't think firing a few idiots (maybe a few to make examples of them) in going to result in the collapse of the economy.
Most of your federal taxes go into defense and healthcare anyway, barely any goes into social services like welfare.
If you're just a little patient, someone will usually just give you one.
"Those who have never entered upon scientific pursuits know not a tithe of the poetry by which they are surrounded."
the "smoke breaks" are something different tho. while the employees may not be working during that time, they are relaxing (and possibly discussing current projects they're working on). when you let your employees work in a more comfortable environment, stress is reduced and (theoretically) they will be more productive. take it to extreme, half a day taking smoke, coffee, lunch, bathroom breaks, half a day of very relaxed work. or the other extreme of having no breaks except absolutly-required-bladder-about-to-burst breaks, and you have an environment where no one wants to do anything except their exact job description, for fear that they will be viewed as unproductive and not be chosen for a raise, or worse, be on top of the list to be eliminated.
ok, kinda off the virus topic, and i'm not really in the big world work force yet, only 18 (19 on feb 2!), and im sitting in my college dorm room, but hey, im bored.
insert generic
Actually I'd say female coworkers with nice bodies and sexy clothes cost the economy a lot more than anything else.
I see plenty of people who don't pay attention when they are driving. They are on the phone, talking to (and looking at) someone in the back seat, fiddling with the radio, looking for cds, eating, applying makeup and dozens of other things they should not be doing. Yeah, sometimes these people get fined when they run a stop sign and sometimes they go to jail when they get drunk and slam a car into a family of five.
However, sometimes people get fired from jobs for doing retarded things with computers. You just don't hear about it on the nightly news, or see it every day out on the street.
These virus are successful because a lot of unknowledgeable people do dumb things. But this happens in all aspects of society, it's not limited to computers. Now, as the subject says, Windows is succesful because it's so easy to use. Many small business owners choose it because they can do one thing very well and don't have the time or resources to learn *nix. But they can buy a windows box, click 'next' a few times and have everything up a running. Is it safe? no. Does it do what they need it to do? Apparently. Do virus writers go after windows because it's much easier to fool a windows user into running an executable? Yes. Just like in nature, the lions will go after the weak. Windows does have weak security, but it's because it's made to be used by people that aren't experts. I bet that if everyone installed linux all those dumb users would figure out how to use 'su' to make it run the great new attachment that says it's pictures of Anna K.
Can windows be secure? Hell yeah. It's what I get paid to do. My users don't get spam, don't get virii and don't have to worry about worms or exploits (they also can't use the command line, play solitaire or get to the internet, but that's beside the point). Is windows secure out of the box? No, but it's a lot easier to use, and that's what people who need to get things done want. If they need to be secure they will hire someone like me to do it for them. Microsoft doesn't care about security because Microsofts customer is not concerned about security (yet).
Now, to help deflect the karma blow I'm gonna take for posting with a subject like this I'd just like to say I'm posting this using Mozilla running on my RedHat 9 box (yes, from work, where I admin Win2k machines).
you're all figments of my deranged imagination
They never factor in the economic benefit of a virus. That blaster totally filled in the bottom line for an otherwise crummy quarter last summer for our little shop. Can't imagine what a boost it was for the big players like the big box computer stores. That virus came at a time the computer retail industry was hurting. It was easy to fix and (l)users couldn't ignore it so they happily paid an hour benchtime for ten minutes work. It almost seemed like blaster was designed to boost the economy. I know it's cynical, but it certainly was a factor in getting our shop close to profitability until our boss wasted a bunch of money on dumb stuff. C'est la vie.
the cost estimate for those are not the cost of having someone come for a couple hours, and clean all the computer (some $200).
it involves also the fact that while that person is fixing the computers, 20 or 30 people are going to be sitting idle, not doing their job (25$ per hour, 2 hours, 50 people) and the extra time that they will have to work (overtime?) to get back on schedule (again, 25x1.5 for the overtime, by 2 hours, by 50 people).
when you consider that, the price goes up very quickly, if you have 200 employees that can't work because the bandwidth in the office is all chewed up, and the mail server is not handling the mail, and the emails are showing late, missing critical deadlines... and that's how PHBs look at it too...
my $.2
I think The Register put it best:
7 79 .html
"We hate to point out that patching systems is what IT staff do, so we don't quite see the dreadful loss of productivity here. One might as easily say that police lose productivity when they have to interrupt their doughnut runs by investigating crimes, or that doctors lose productivity when they have to abandon the back nine to treat patients."
http://www.theregister.co.uk/content/archive/20
This is different in that it is not a worm (spread by a hole) but is a trojan (spread by a-holes) but the point is the same: had the IT folks done their job BEFORE the outbreak and secured their systems and trained their staff, the cost would be zero. Now that they have to put out a fire of their own creation they can't whine that the cost was "created" by the virus.
First off, the plural of virus is viri IF it can be considered appropriate to use Lating vocab and grammar on a 20th century concept. As a person who studied Latin for three years I think that the plural for virus in English is viruses. But that's just nit picking.
Also, I think there are holes in your logic. Which is not to say that I did not find the e-mail insightful or interesting, by the way.
While I agree that MS isn't holding up their end of security responsibilities, I think that I could make an argument that people who want to design malicious code would be more given to target microsoft software. Every hacker I know would rather screw a Windows user - just for being a windows user in many cases - than a UNIX user - unless he's obviously doing something a UNIX user should be smart enough to avoid (which hints at kind of a double standard).
Other good reasons are that if you're designing a virus of any sort, you probably want to see it go big. Even if there are a couple of exploitable holes in Apache, chances are that enough of the Apache admins know what they're doing and so the virus won't make a big splash. On the other hand, even after all these mail viruses, people who administer windows systems frequently still don't know how to cover their bases. So, if you want to write a virus and you want to see it on news-at-nine, you write it for Windows.
By the way, if you install any version of Redhat on your machine, and you don't know what you're doing, and you plug a DSL into it, you'll be owned in five minutes. The difference there is that, while UNIX OS's also place a burned on their users to keep their security stuff updated, they can depend on the UNIX users to actually do it, whereas windows users don't. I'm still running around and cleaning MS-Blast on my older relatives' machines.
In a way, what you're saying is that Windows users should be completely pampered, and that MS should get it right on the first try, whereas Unix users ought to look out for themselves, provided they can find the updates they need to perform somewhere.
I had a dream that I was dreaming about recursion.
$299.00
So say I drink way too much coffee and water and go to the bathroom 6 times during the day. I pause to say "hi" to a few folks on the way, so assume 5 minutes a trip or 30 total minutes of pee breaks for the day. Let's further assume that several urgent items were delayed by these trips and those delays reduced the productivity of others waiting on my emails. By your calculations my pee breaks alone could have cost the company well over $1000.
If we further assume that every employee in the company is making similar trips and the company employs 100 people, the total cost could easily exceed $100,000 per day. And that's without even considering the interference patterns created by the timing of bathroom trips, communication dependencies, and resulting backed-up work (no pun intended).
My parents have almost no time at all. They have no time to play games with me, and precious little time to look at email jokes. Yet they have time to "learn Linux".
See, you can "learn Linux" on so many levels that there's this myth that you have to know how to hack it in order to just use it.
That's absurd. My dad knows almost all he needs to know in order to admin his new Gentoo box. It took a bit of my time to set it up, sure, but once it was installed, he hardly noticed -- except it boots up and runs much, much faster.
And how much time do you think it takes to learn to deal with viruses? I don't know anything about that anymore, since I don't get them.
Give me any "tech moron" that you think can't use Linux, and I'll migrate them in a week.
Don't thank God, thank a doctor!
The cost figure seen with many cyber-crimes is related to what the prosecution asks for, as well as what is drummed up by business to explain items on the quarterly expense sheet. I wonder how many CEOs get to go to Bermuda on one cyber-attack voucher?
Fast machines, powerfull AI, impulsive invention,... All I lack is a good espresso machine!
The source of the problem is twofold:
[1] The SMTP is being used improperly... it's not supposed to be hauliing around attachments and HTML.
Until everyone's willing to properly configure their email clients to ONLY handle plain text and ONLY transfer files using the protocol designed for File Transfers, then we're going to continue to have this problem.
[2] Admins need to learn how to properly configure their email servers properly. Period.
I also think that everyone should be using encryption for their emails, and there is no reason why businesses can't employ challenge/response services and blacklists on the server.
For Example:
if someone wants to do business with me then they must properly communicate their intent, whatever the communication medium is: it's no different than a phone proxy (i.e. administrative assistant/secretary) answering my phone and asking a caller to identify themselves before transferring me the call.
[RANT]
I worked in Tech Support for almost 10 years before moving over to software development and I'm so sick of intellectually lazy Network/System Adminstrators who seem to have the time going on and on and on and on and on about BCD Errors (Between the Chair and Desk) and I/O Errors (Idiot Operator), wanking away on /. or reading BOFH all day and complaining about their stupid users.
By the time the infected file has gotten to my inbox it's too fucking late, and if the admins can't keep it out of my inbox, no matter what operating system or email client I'm using THEY should be fired.
It's not the users who created the problem: we did by accepting default configurations and not coming up with more creative ways of meeting our users needs within the confines of the protocols we have to work with. [/RANT]
P.S. -- while writing this, I checked your blog and pulled Clutter -- coolest application ever! Thanks.
- learn to swim.
Think of the medical cost arising from the treatment of withdrawal symptoms from not being able to read slashdot... and unemployment! :-)
--- root@127.0.0.1
How about a slashpoll on what kind of intellectual games slashdot readers play? I mean we claim to be smart people, games such as contract bridge require a certain degree of "smartness"!
--- root@127.0.0.1
"These things get blown out of proportion to feed egos."
That's why we should cut Bill Gates a break. Some of the same arguments that people are using to dispute the costs of the virus, apply to the costs of Microsoft's BSOD's and other "issues". How much is it REALLY costing? Not as much as the "chip on the shoulders" people would make you think.
"Windows does have weak security, but it's because it's made to be used by people that aren't experts"
Apple users would agree with you. Windows does have weak security.
One wonders if the prevalence of attachments is due to MS-Windows file sharing not working.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
> A company with USD 7500 turnover per employee is by no definition healthy.
Yes, sorry. $30,000,000 revenue, $1,000,000 EBITA are more likely figures. Isn't it ironical I choose a sig regarding the need for multiplications?!?
It isnt' so much that Macs dont (or can't) get viruses but I haven't seen a big Mac virus breakout since the days of INIT 1984 and ChinaTalk (early 90s?)...that being said, when Mac users finally do get hit with one, it's probably going to be devistating. Then again, our OS doesn't have the "AvticeX subway" as someone else put it...
CAn'T CompreHend SARcaSm?
I think your argument still stands: If a company *REALLY* lost 5% of its EBITA for each major virus, your would expect that company to use that figure in their bookkeeping. Right?!?
So does anyone have a clue why their's no mention of virus related loss in any financial report?!?
you don't have to open an attachment to get this virus but Norton took care of it. All I had to do was click 'OK'. Total cost to me? $0!
I got the software free.
Well, i'm in the air force, and drunk right now. But I Have never opened a .exe file or a .zip file or a . anything file. Their is no need to run those types of files. What can possibly be on a file with extention .exe that is useful to me? Ofcourse if your in a trust relationship with the person that sent you with the .exe file, why would you open the file? How many of you slashdotter open .exe files from people you don't know? I personaly, open one rarely, but from a trusted friend.
Mark