Slashdot Mirror


What's The Actual Cost of A Virus?

ThosLives writes "CNN Money just posted a story that says the MyDoom virus may cost businesses $250M. My favorite quote is that for small to medium businesses with 400 or less employees, the estimate is between $48,000 and $58,000 cost to 'secure themselves' from the particular virus. Does anyone know where that number comes from? If one can charge a year's salary to fix one virus, I'm in the wrong job! Any input out there on the real, hard costs of things such as virus protection?"

10 of 526 comments (clear)

  1. Don't Forget Bandwidth by DotNM · · Score: 5, Interesting

    Another thing that's expensive and not to be forgotten is the bandwidth of sending all this crap spam. Why should the recipient of these messages bear the costs of the bandwidth essentially wasted because of these messages.

    --
    There's no place like localhost
  2. As long as you are not infected by a.koepke · · Score: 4, Interesting

    If you get infected you have the cost of fixing the computers, downtime and lost productivity, loss of earnings, etc. All of this can up to many thousands of dollars.

    The company I work for has not become infected, the only cost of the virus is stupid bounce back messages and an hour of my time fine-tuning our mail server config. Due to this the virus has cost us something, but its hardly worth mentioning.

    The cost of having a good anti-virus system is really easy to justify.

    --


    (\(\
    (^.^)
    (")")
    *This is the cute bunny virus, please copy this into your sig so it can spread
  3. Inflated costs AGAIN - that trick never works by dbIII · · Score: 4, Interesting
    These things get blown out of proportion to feed egos.

    One good example is in the Bruce Sterling non-fiction book "The Hacker Crackdown" - which can also be read online. To sum up, the financial cost of get a paticular document taken from a mainframe was given as the total cost of the mainframe, a terminal and the salaries of a bunch of people going up the heirachy from the person who wrote the document, for far longer than that person actually spent working on that document (ie. paying for someone to write it at the rate of a few words a day, someone else to stand behind then and look over their shoulder for days, someone behind them etc). The defence proposed that the actual worth of the document was the few bucks plus postage that other people paid for it when they ordered it from the company over the phone.

    Opportunity costs are difficult to calculate, one missed email and you could have been a contender - on the way to fame and fortune - but it's more likely that the email is just spam.

  4. This is harsh, but it needs to be said by ajs318 · · Score: 5, Interesting

    Well, Mandrake Linux fits on three CDs, so I'd say the cost of securing a business against virus attacks is about 75p.

    The reason why so many attacks are against Windows is that Windows is usable by complete morons -- and, as an inevitable result, you get complete morons using it. Yes, we all know GNU/Linux requires a little tech savvy. You don't get smart enough to use GNU/Linux without first learning that running just any old programme when you don't have the faintest idea what it does, is a bloody stupid thing to do. On the other hand, any living advertisement for the pro-choice movement can fire up Windows XP and get their computer riddled with malware in a twinkling. Why? Because Windows is too easy to use.

    It's a perfect illustration of reverse evolution in action. You try to make something idiot-proof, then nature only goes and comes out with a dafter idiot.

    You could never make a car that a five-year-old could drive safely -- and even if you could, it would necessarily lack so much functionality it would barely be usable. Really, there's no point trying -- it's better to issue full driving licences only to adults and only on completion of a test. And then we don't have to suffer the consequences of cars that would be driveable by five-year-olds.

    The very fact that GNU/Linux naturally weeds out complete retards probably explains why there are not -- and will never be -- as many GNU/Linux exploits as there are Windows exploits.

    --
    Je fume. Tu fumes. Nous fûmes!
  5. Re:Actual Cost of a Virus / SCO by gujo-odori · · Score: 5, Interesting

    That's not even close to the cost, even if you work very, very cheaply.

    The cost of anti-virus and related is the least part of the equation, even factoring in the admin's time, and I don't care *how* cheaply you work. Not even if you're a volunteer.

    The real cost is factored more like this:

    - Staff hours that are lost looking at false bounces (or worse, getting infected, something which is very common) and having to correct that

    - Helpdesk hours that are lost answering questions from people with a mailbox full of bounces for stuff they didn't send (or we hope not);

    - Helpdesk hours that are lost disinfecting the
    machines of all those who clicked the attachment. Mostly, the same ones who fell for it last time, too.

    - Sysadmin hours that may be spent on watching over stressed mail queues to make sure they don't get full, and dealing with potential mail backlogs.

    Those are three broad areas, I'm sure the accounting department could tell me a bunch more of their favorites.

    Let's say you make $20 per hour at your job. The cost of your benefits is probably also about $20 hour, assuming health insurance, etc. Heck, it could be more. But lets go with $40/hour as the total cost of your compensation for this example.

    Now, let's say you lost 30 minutes of productivity to a worm. OK, $20 bucks that your company spent on having you do something other than your job function. But, you're way smarter than most of your colleagues. You didn't click it. You've just wasted 30 minutes initially looking at what it was, deleting more copies that came in, and deleting bounces, and you ever even called the help desk. Most people are probably at one hour, maybe more. Lots more, if they got
    infected.

    If by some chance it works out that the average cost of compensation (salary + benefits) in your company is $40/hour, and you have 100 employees and on average each person lost 30 minutes to the worm (again, I bet it's hard to get the number that low in most companies when a big wrom like this appears), that's $2000 right there. Antivirus software is not even factored in because you either had it already or not, but either way, it's not a directly related expense.

    OK, that was the first day. People will deal with more crap in their mailboxes tomorrow, and the day after and quite a few days after. At least for a week, you might expect to have a company-wide average of 30 minutes per person, per day, spent on things related to the worm.
    Now we're at $10,000.

    This all assumes that no data was damaged or destroyed (if it was, the monetary value of that data, if irreplaceable, is charged. For replaceable data, the cost of an admin restoring it is charged).

    And don't think your average will probably be that low. If a lot of people get infected, your helpdesk staff and sysadmin staff will probably be spending the majority of their time on this problem for at least a week. In a typical 100-person company with a Windows machine on every desk, you may be really lucky to get away with $10,000 chargeable to the worm.

    I work for a well-known mail filtering company, and I'm getting a front-row seat for the impact this is having. It's large, even for companies that have our services. If you have tens of thousands of employeeds, you're going to see a lot of bounces coming in, and those divert staff time to deal with them.

    Now, imagine you have tens of thousands of employees and you're not using a service like ours. You're going it alone. Your admins. Your equipment. Your anti-virus software which you hope gets the new signatures before the worm gets to you. Your admins and helpdesk staff are working their butts off for at least a week, probably more (not that they weren't already busy). You might have hundreds or even thousands of infected machines to deal with. Countless bounces. Suddenly, you find yourself looking at a cost reaching into the hundreds of thousands of dollars. Not a pretty sight.

    While

  6. Re:Actual Cost of a Virus / SCO by Snad · · Score: 5, Interesting

    The cost of 400 yellow post-it notes saying "DO NOT OPEN FILE IF EXE OR SCR!"

    You don't even need this one. Just strip all incoming executables at the mail server so the user never gets anything dangerous to click on.

    We did that (at an admittedly small - just under 100 user) site using MailMarshal, now known as NetIQ Marshal.

    There's never any good reason to send an executable file via e-mail anyway. Software updates etc are better accessed through ftp or straight off the web. Self extracting archives (zip files) are unnecessary given the number of free decompressors available if the company is too cheap to pay for licenses.

    Blocking all (Windows) executables is easy in most filtering software, removes the worry of not being up to date with anti-virus library files, and works 100% of the time.

    This was back in the days of the good old Anna Kournikova, ILoveYou and similar viruses. We had exactly zero infections, and zero problems.

    Yes you can still get viruses in other ways (if some damn fool downloads a virus direct from a website) but how often does that actually happen? They all come via e-mail, and propagate via e-mail - be it your server or their own SMTP connection.

  7. Re:Actual Cost of a Virus / SCO by Alioth · · Score: 4, Interesting

    A better thing is to simply reject all emails with attachments, except for very specific ones on your allow-list that are known safe (for example, .jpg). This way, even if you get a virus that your virus scanner doesn't yet recognise - it gets rejected. There are other methods of sending files that don't require email.

    As for anyone who opens attachments, it's fine to say that when you've got at least reasonably computer savvy users. However, many small companies have one computer 'expert' (which may be the boss's son) and a computer illiterate workforce who knows how to type a letter in Word and send an email. They don't know what EXE or SCR is and are unlikely to remember. They might be fabulous truck drivers on the other hand, who've never had a wreck and who always get their vehicle to where it's going on time. Why fire them for a mistake in something they have little knowledge about?

  8. Re:+1 Funny Because It's True by bangular · · Score: 5, Interesting

    The argument I hear the most, without a doubt "Windows gets more viruii because it's more popular". I call bullshit! I know it's bullshit because of Apache. Apache, by almost any web server survey, has at least as many servers as IIS (netcraft says between 2x and 3x, but let's say just as many for sake of argument). So by this reasoning, apache should have as many worms as IIS. But, as far as I can remember, there have only been two Apache worms. Neither of which btw were as crippling as any IIS worm. In fact, I was running multiple apache servers at the time of both of them and got neither one. What about Oracle? IIRC Oracle has a larger market share than sql server. Do we know of any RDBMS worms as devistating as slammer?


    Microsoft still isn't taking security seriously. Although this virus requires user interaction, Microsoft shouldn't make it so easy to execute content. Hell, content can be executed just by looking at the preview pane in outlook. Check out the story over in developers. MS decided instead of fixing the url spoofing bug that phishers have been using since december, they are just going to not allow urls with an @ sign in them.


    Then you've got your idiots over at security focus, such as Tim Mullen (who is a security consultant for MS btw) who believes security shouldn't be an issue for MS to worry about. It should be the end user who worries about it. It's no wonder they do not take security seriously when you've got people with views like that advising you.


    Let's not forget the anti virus companies. Their lively hood is protecting people from virii. Not stoping them, protecting people from them. If we didn't have virii, then the anti virus companies would be out of business.



    When you've got all this political bullshit swirling around the only one that loses is the end user. The one who bought their computer to enhance their life. To get onto the internet and reasearch car safety because their teenager is about to drive. Or the grandma who wants to recieve pictures from her grand children. Or the first time user that gets a virus within 15 minutes of plugging in their new computer, ensuring they will probably hate it from that point on.

  9. Virus attacks keeps SOME folks in a job... by logicassasin · · Score: 4, Interesting

    Considering that there's a lot of us in the IT sector out of work, Virii can be a godsend. Why? 'Cause, even if it's only for a week or so, we get called by the local contract companies to clean it up. I did a 2 week stint at Honeywell in Phoenix doing just that. I was unemployed when they got hit by whatever virus back in August and got the call to help with it's cleanup. This later turned into a longer contract to help out their PC Techs clean out their ticket backlog caused by the virus; some 2000 or so tickets generated and left untouched during the cleanup. We were out there for a total of 5 weeks.

    Stuff like this, large comapnies needing to outsource virus cleanup, is also a major factor to be considered when looking at those numbers. Figuring that the contract companies got an average of $25/hr for each of us and multiply that by the initial order of just over 100 techs for the first 2 weeks of cleanup (Honeywell has numerous, large facilities around Phoenix), and you see just how much money these things can cost a company.

    --
    Fifty watts per channel, baby cakes.
  10. Potential Loss by div_2n · · Score: 4, Interesting

    I used to work at a company that does storage and fulfillment for Toyota Motor Manufacturing. They have a contract that says for every hour they can't deliver product, they owe Toyota $100,000. So if a virus were to knock them offline for a 5 hour period, they would lose $500,000 on fines alone.