Slashdot Mirror
What's The Actual Cost of A Virus?
ThosLives writes "CNN Money just posted a story that says the MyDoom virus may cost businesses $250M. My favorite quote is that for small to medium businesses with 400 or less employees, the estimate is between $48,000 and $58,000 cost to 'secure themselves' from the particular virus. Does anyone know where that number comes from? If one can charge a year's salary to fix one virus, I'm in the wrong job! Any input out there on the real, hard costs of things such as virus protection?"
This is one of those hand-waving statistics that is useful for showing the business leaders, but it's practically useless in day to day network protection.
These numbers used to be in the billions of dollars, but now they are more reasonable in the millions. If anything, it shows a trend in the perception of the value of data in a downwards direction. Everyone thinks data is some really important thing which should have a high value, but as more and more data is brought into the open (including, but not limited to, source code) the value of data drops.
I have been pwned because my
Virus making is actually a good way to make profits. Hire one guy to write the virus, a few hundred thousand dollars spent on writing an antivirus program, and then sell millions of copies of said program at $50 apiece to people whose PCs were infected when they opened a program called Happy99.exe from Grandma.
The World is Yours.
The biggest cost of these sort of virus is time.
Time waiting for your 'net link to do what you've paid for it to do while your email server chokes on hundreds of incoming virus emails.
Time wasted by tech staff explaining to every user at least once to not click that file (or if the organisation has virus scanning) to ignore the ten dozen "virus has been nuked" warning emails.
Time wasted by staff who have to spend time ignoring this junk, replying to warnings about the thing from their naieve friends and family emailing then CNN URLs and saying, "is this for real?"
Time wasted making sure the company virus protection is up to date on laptop machines that get infected at home on 'raw' Internet connections then get plugged into the pristine corporate network in the morning. Time wasted fixing machine that weren't caught in time.
This sort of cost really adds up...
But also, I feel user education can help a lot. Companies need to start implementing some sort of formal e-mail and internet usage training when people join the company and a refresher every so often.
There's no place like localhost
Do your math: you say between $48K and $58K per small biz, so let's take a lowly $50K average. The sum is supposed to be $250M, which is only 5000 times those $50K.
are there only 5000 small businesses out there?
i think not.
So those $48K to $58K must certainly be understood as a "worst case" figure applying only to a fraction of businesses out there
Any moron who works at a company and opens said attachment should be fired anyway.
...all reverse vacuumed into the shitpipe because you made one mistake. There's no excuse for being human in an inhuman workplace. Take your parting gifts, pack up your shit and get the fuck out. Time to watch your career get destroyed.
So remember folks: all those years of school, training, reading, getting up at 5:30AM, working your ass off, overtime, weekends, holidays, sitting in meetings, telling your asshole boss how smart he is...
Business isn't willing to pay for products, innovation and careers, so we get brands, mortgage commercials and layoffs.
The cost is not actually an actual loss as in they have to pay for it. It is more of an opportunity cost.
What they mean is instead of using the time to fix up and repair the damages of the virus, that time could have been used generating profit for the business.
Since they are not being productive during the time the virus is being sorted out they are losing money because of it. Hence the cost of fixing viruses.
1. The market is already flooded with anti-virus applications, many of which are free.
2. No business would invest into an application made by a freshman software company. They would choose experience and mindshare over empty, unsubstantiated promises.
3. It doesn't take few hundred thousand to write a decent AV application. You can create one on a shoestring budget and package it under $10,000 or less.
4. You're assuming none of the AV products would be able to provide a "fix" for said virus, which would create a market for this fresh application. In the AV world, there is no such thing as "exclusive fix" to a widespread problem.
I know this may come as a shock, but there are plenty of careers where computers are a tool, not an end in and of themselves.
I work in IT for a large retailer in the US. Most of our non-IT people are paid well because they sell lots of merchandise to customers and keep them coming back. People who are good at that tend *not* to have the time to learn how to use something like Linux.
I used to have a similar sort of superior attitude about the vast majority of people out there who don't understand computer issues in any sort of detail. Then I started noticing how irritating it was when people who were specialized in other fields - e.g. medicine, car mechanics - did the same thing to me.
I can understand giving someone a bit of trouble if they're clueless *and* work in a tech-related field, but not if they just use computers as a tool for getting something else done.
Do you honestly know how to disassemble and repair your car and home appliances, or perform surgery? My body gets more use than my home or work PCs by default, but I can't perform more than basic repairs on it. Does that make me a moron? No, it just means that I do something else for a living.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
In fact, I just had a vivid image of a doctor visiting a bunch of children in Iraq who'd lost limbs from playing with those cluster bombs that look like food packets and saying "You did what? Don't you retards know not to open unfamiliar packages?"
See how petty and insulting it sounds when it's in relation to another line of work? That's how the "dumb user" attitude makes tech workers look to people in other fields.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
The real reason for the inflated damage estimates is that it sounds impressive in the media, which generates FUD, which generates more viewers, which sells advertising space.
If a virus came out and the news reported it as causing "a few thousand dollars of damage across north america", would anyone give a damn? So the news directors and reporters try and figure out a more "interesting" damage estimate that they can broadcast. So, pump up those numbers! The virus caused $250 MILLION OF DAMAGES, suddenly sounds impressive and formidable.
It has about as much bearing as when the RIAA sues people for tens or hundreds of millions of dollars because "the song they had shared 'could' have been sent to everyone on the planet, thus depriving the record company of any profits whatsoever".
The reality is that in the office I work for, one person clicked on the attachment and got their machine infected. He continued working as normal and called the IT guys who came around and fixed it.
Total lost productivity time? A 30 second phone call. Total lost revenue? $0.
Compared to people just plain ol' "slacking on the job", viruses do a negligable amount of damage.
Funny how you never hear about the '$50 billion in lost revenue' from employees taking three 15-minute "smoke breaks" every day.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
I know what you're trying to say, but seriously, however tired I am - however stressed I am - even if I'm so out of it that I try to make myself a coffee and forget to boil the water first - I have NEVER for a moment failed to recognise a virus email the moment I saw it.
Oh, sure, companies should provide one one-day training course on virus recognition, to protect the truly ignorant.
But after that, anyone who still falls for them should be fired, because they shouldn't be in a job which involves reading emails. You wouldn't give an alcoholic a job driving ambulances, would you?
That's all the poster asked for - he doesn't ask for people to be able to fix a bug in one of their init scripts. He doesn't even ask for the minimum of skills I would expect for a specifically technical job. He just asks that people not step on the accelerator when an interesting brick wall appears in front of them.
Obviously, the consequences of being clueless with your computer are nowhere near the consequences of being similarly clueless with your car. However, the idea that you can be held responsible for paying attention to those actions you do perform is not unthinkable. Simply being aware of what you're doing should not be too much to ask.
Now, imagine you have tens of thousands of employees and you're not using a service like ours. You're going it alone. Your admins. Your equipment. Your anti-virus software which you hope gets the new signatures before the worm gets to you. Your admins and helpdesk staff are working their butts off for at least a week, probably more (not that they weren't already busy). You might have hundreds or even thousands of infected machines to deal with. Countless bounces. Suddenly, you find yourself looking at a cost reaching into the hundreds of thousands of dollars. Not a pretty sight.
Nice advert for your services, you forgot the URL ;)
I work in a 100% NT4 desktop corp environment (our admins, our equipment) and we have around 40,000 users on various domains. We use Exchange and Outlook. Wanna know how many of these "deadly" worms we've had infect our systems in the last 3 years I've been working there? None
There's nothing inherently deadly about MS stuff in a corp environment as long as your admins and engineers are worth the money they're paid. Frankly I welcome hearing how much cash companies are supposedly losing with this - let it be a kick up the backside. :)
Actually, the guys you call 'morons' are just average people with respect to your chosen field of endeavor.
They're not geeks and calling them morons on the basis of their not understanding computers is like calling someone a moron for not being a great chef, a gifted pianist, a brilliant chess-player, or an insightful auto-mechanic.
Ceteris paribus, knowing nothing else about the poor schmuck panicking with his hot little hand on the mouse button, the word makes no sense. In fact, it may very well say more about the person who needs to reach for it than it does about the one to whom it's applied.
To mail me, remove the 'mailno' from my email addy.
"Yeah. It smells, too..."
Once a day is not enough! (I wish!)
When the orginal MyDoom.A came out, we were catching them with ClamAV 5 hours before McAfee's patters came out. A similar thing with MyDoom.B.
Update your patterns hourly, as a minimum.
Even that's not enough with a mass vectored attack in which thousands of compromised PCs used to distribute a new virus at the same time.
Antivirus vendors are going to have to rethink.
We need rapid responses to newly detected viruses.
Waiting hours for updated detection patterns isn't good enough, or soon won't be.
That's why, in spite of the fact that "any moron can step over a loose cable" it is still necessary to keep cables away from foot traffic or at least tape them down. It's also why it's bad to login as root all the time (for OSes that permit any other option anyway).