Slashdot Mirror
What's The Actual Cost of A Virus?
ThosLives writes "CNN Money just posted a story that says the MyDoom virus may cost businesses $250M. My favorite quote is that for small to medium businesses with 400 or less employees, the estimate is between $48,000 and $58,000 cost to 'secure themselves' from the particular virus. Does anyone know where that number comes from? If one can charge a year's salary to fix one virus, I'm in the wrong job! Any input out there on the real, hard costs of things such as virus protection?"
Let's see...
The cost of securing your mail server from viruses includes...
The total cost of protecting a company from *all* viruses that go to their business accounts runs around $200 maximum.
Any moron who works at a company and opens said attachment should be fired anyway. So in the long run, the company actually *saves* money by all these worms going out.
So that must mean that SCO must be rewarding the MyDoom author for all the extra money they keep from firing morons at their company that open those attachments. Wait... that can't be right...
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Another thing that's expensive and not to be forgotten is the bandwidth of sending all this crap spam. Why should the recipient of these messages bear the costs of the bandwidth essentially wasted because of these messages.
There's no place like localhost
This is one of those hand-waving statistics that is useful for showing the business leaders, but it's practically useless in day to day network protection.
These numbers used to be in the billions of dollars, but now they are more reasonable in the millions. If anything, it shows a trend in the perception of the value of data in a downwards direction. Everyone thinks data is some really important thing which should have a high value, but as more and more data is brought into the open (including, but not limited to, source code) the value of data drops.
I have been pwned because my
The truth of the matter is that it doesn't cost this much. People claimed that rtm's worm in 1988 cost $10 million due to losses in the stock market. But stocks come back up to what they were once people aren't scared anymore. Noone lost money (except rtm who lost $10k).
As has been said 100 times before, there are 3 types of lies: lies, damned lies, and statistics. This is just another case of statistics being used to lie.
Virus making is actually a good way to make profits. Hire one guy to write the virus, a few hundred thousand dollars spent on writing an antivirus program, and then sell millions of copies of said program at $50 apiece to people whose PCs were infected when they opened a program called Happy99.exe from Grandma.
The World is Yours.
The biggest cost of these sort of virus is time.
Time waiting for your 'net link to do what you've paid for it to do while your email server chokes on hundreds of incoming virus emails.
Time wasted by tech staff explaining to every user at least once to not click that file (or if the organisation has virus scanning) to ignore the ten dozen "virus has been nuked" warning emails.
Time wasted by staff who have to spend time ignoring this junk, replying to warnings about the thing from their naieve friends and family emailing then CNN URLs and saying, "is this for real?"
Time wasted making sure the company virus protection is up to date on laptop machines that get infected at home on 'raw' Internet connections then get plugged into the pristine corporate network in the morning. Time wasted fixing machine that weren't caught in time.
This sort of cost really adds up...
But also, I feel user education can help a lot. Companies need to start implementing some sort of formal e-mail and internet usage training when people join the company and a refresher every so often.
There's no place like localhost
Do your math: you say between $48K and $58K per small biz, so let's take a lowly $50K average. The sum is supposed to be $250M, which is only 5000 times those $50K.
are there only 5000 small businesses out there?
i think not.
So those $48K to $58K must certainly be understood as a "worst case" figure applying only to a fraction of businesses out there
Probably came from a 'Network Security Consultant', not a network engineer. The cost of course includes the hours billed by the consultant, who advises you on how to 'secure' your network.
Remember, a consultant is someone who'll steal your watch, then make you pay them to tell you the time.
"Nothing is so important that you cannot make fun of it." -Clarke
If you get infected you have the cost of fixing the computers, downtime and lost productivity, loss of earnings, etc. All of this can up to many thousands of dollars.
The company I work for has not become infected, the only cost of the virus is stupid bounce back messages and an hour of my time fine-tuning our mail server config. Due to this the virus has cost us something, but its hardly worth mentioning.
The cost of having a good anti-virus system is really easy to justify.
(\(\
(^.^)
(")")
*This is the cute bunny virus, please copy this into your sig so it can spread
Yesterday I spent at least a couple of hours clearing some spyware from a PC: it had completely infiltrated the registry, was replacing all attempts to reach other web sites via MSIE with its own page, killing Mozilla, killing the various anti-spyware programs... OK, killing various processes with names like 'sistem' and deleting a bunch of recently-installed DLLs helped me recover control.
But I pity the millions of people whos PCs are infested with dialers, trojans, browser-infecting gremlims. These are not technical 'viruses' because they don't propagate. But they are very serious time wasters,
Ceci n'est pas une signature
Securing your business against a virus: $58,000
Reading about it on my Mac: Priceless
Slashdot Eds Link Anonymous Posts With Logged Posts
They Are Vermin Feeding On Each Other's Feces.
I Hate \.
The cost isn't just the guy who "downloads the anti-virus-defs". The cost comes from machines not being usable for some time before the worm is under control, from people who have to sort through hundreds of junk bounces, from preemptively switching passwords on all infected and related systems. The sad thing is that it's hardly possible to prevent these costs. That would raise the value of the IT department close to the avoided costs. But how do you defend against users who activate worms while actively working around restrictions to see the attachment?
I'm supprised that an Asian version of these viruses haven't made the rounds yet. I'm curious if businesses in S. Korea would be just as effected if this virus was socially written for that part of the world.
Life is not for the lazy.
MyDoom virus - $250M
:)
400 or less employees - $58,000
DDOS SCO - priceless
There's some news money can't buy. For everything else, there's Slashdot.
Our office mail server is a linux box. It's a nice little redhat, properly administered. Haven't had a bit of trouble. Major government contractor across town has NT all over, massive problems. Of course, our email server doesn't allow .exe, .scr, .vbs extensions for attachments at all. There's a few more that are disallowed. The server replaces those attachments with a .txt file which states that a file has been removed.
One good example is in the Bruce Sterling non-fiction book "The Hacker Crackdown" - which can also be read online. To sum up, the financial cost of get a paticular document taken from a mainframe was given as the total cost of the mainframe, a terminal and the salaries of a bunch of people going up the heirachy from the person who wrote the document, for far longer than that person actually spent working on that document (ie. paying for someone to write it at the rate of a few words a day, someone else to stand behind then and look over their shoulder for days, someone behind them etc). The defence proposed that the actual worth of the document was the few bucks plus postage that other people paid for it when they ordered it from the company over the phone.
Opportunity costs are difficult to calculate, one missed email and you could have been a contender - on the way to fame and fortune - but it's more likely that the email is just spam.
Does anyone know where that number comes from? If one can charge a year's salary to fix one virus, I'm in the wrong job! Any input out there on the real, hard costs of things such as virus protection?"
It isn't just one person working on the virus.
With really bad viruses it will take a week of work, if you are lucky and it doesn't spread too badly.
You probably have the entire server/desktop team working on the updated anti-virus software and how to deploy it.
You have the entire Tech Support team who actually go out to people's desks when they think they have the virus.
You have the entire helpdesk team swamped with calls, many of which are just asking questions about the virus, rather than even thinking they might have it.
You have the actual end-users who are getting paid to twittle their thumbs while they wait for tech support to check out their PC.
And you have all the managment in a huff and having lots of meetings to talk about the virus which they really don't understand while all the IT people do all the actual work.
Try to be more sensitive, those dollars add up!
Also, while they probably don't pay overtime, they probably count the cost as if they did.
Promote Sensitivity on Slashdot, make me your friend.
Things such as repairing the machine after the virus is activated by dumb user
productivity lost by user, files lost etc.
severance pay for dumb user
hiring fees for the replacement (ad costs etc)
Of couse when the dumb user is also the boss/owner of the company it can cost a whole new computer just for starters (Dual G5 with everything) and a lot of time reshuffling computers to incorporate this one into the company plus new firewalls
Yep those viruses can be costly
Your'e all thinking it, I just said it for you
it seems like it would actually be LESS expensive for businesses to run Mac or Linux boxes than Windows. Or at least use a mix of OSes so not everything is vulnerable.
Perhaps that would be sound corporate IT strategy?
It's very simple: all the staff should be teached NOT to open email attachments containing the usual bad file-endings. That's one 5 to 10 minutes meeting.
On a funny side, awareness for viruses can be achieved by putting up posters like this:
Safer Surf.
is that for the download of a free email client, Mozilla, none of these fake losses would be incurred.
The articles about losses from email worms consistenlty fail to adress the problem of crap email clients (or more correctly, THE crap email client) that causes this problem. They also give the same two pieces of advice, "use anti-virus software and dont open attachments", conspicuosly leaving out the most important advice: change your email client.
Is it because they are embarrassed that they use this same client, and havent got the brains to switch to Mozilla? How can they give advice to people to change email clients when they cant do it themselvs?
ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
Well, Mandrake Linux fits on three CDs, so I'd say the cost of securing a business against virus attacks is about 75p.
The reason why so many attacks are against Windows is that Windows is usable by complete morons -- and, as an inevitable result, you get complete morons using it. Yes, we all know GNU/Linux requires a little tech savvy. You don't get smart enough to use GNU/Linux without first learning that running just any old programme when you don't have the faintest idea what it does, is a bloody stupid thing to do. On the other hand, any living advertisement for the pro-choice movement can fire up Windows XP and get their computer riddled with malware in a twinkling. Why? Because Windows is too easy to use.
It's a perfect illustration of reverse evolution in action. You try to make something idiot-proof, then nature only goes and comes out with a dafter idiot.
You could never make a car that a five-year-old could drive safely -- and even if you could, it would necessarily lack so much functionality it would barely be usable. Really, there's no point trying -- it's better to issue full driving licences only to adults and only on completion of a test. And then we don't have to suffer the consequences of cars that would be driveable by five-year-olds.
The very fact that GNU/Linux naturally weeds out complete retards probably explains why there are not -- and will never be -- as many GNU/Linux exploits as there are Windows exploits.
Je fume. Tu fumes. Nous fûmes!
You know, I've always wondered if BSD-type "jails" could be implemented on windows in regards to email messages containing attachments, or if such a thing exists, why isn't it widespread to cut virus propagation?
Sort of like isolating Outlook, which runs attachements in a virtual server where viruses would be locked in a controlled environment and fail to spread outside of that system.
1. The market is already flooded with anti-virus applications, many of which are free.
2. No business would invest into an application made by a freshman software company. They would choose experience and mindshare over empty, unsubstantiated promises.
3. It doesn't take few hundred thousand to write a decent AV application. You can create one on a shoestring budget and package it under $10,000 or less.
4. You're assuming none of the AV products would be able to provide a "fix" for said virus, which would create a market for this fresh application. In the AV world, there is no such thing as "exclusive fix" to a widespread problem.
We block almost all attachments, but allow .zip files through
.zip files, and block .zip files containing executables but allow those with plain documents through.
A good scanner can look inside
If I were you, I would consider upgrading to a better scanner.
The big costs are a sum of the following: - wasted work time due to reading panic articles - wasted work time because the IT department immediately shuts down all email communication; - wasted time because "my wife just lost all her files... must be a virus"; and finally - lost time trying to calculate jurnalist estimates = total waste of brainpower And... if you sum all that, the above-mentionned costs start looking like peanuts
http://www.automatiq.se
Wow, this topic really got me thinking. All that time I spend every day deleting spam, driking coffee, having toilet breaks. It all adds up. It's amazing I every get time do any work.
In fact, I've just figured out that if we can shut down slashdot - maybe feature it on a front page article and get it slashdotted - we could scape together enough coin to fulfill George Bush Juniors plan of putting a person on Mars.
Do the math:
800,000 Readers a day
30 Minutes a day to scan the front page and browse at level 5
$30 Per hour wage, these are _mostly_ employed geeks after all
$24,000,000,000 Annual lost time cost, assuming a 40 hour week, 50 weeks of the year.
The argument I hear the most, without a doubt "Windows gets more viruii because it's more popular". I call bullshit! I know it's bullshit because of Apache. Apache, by almost any web server survey, has at least as many servers as IIS (netcraft says between 2x and 3x, but let's say just as many for sake of argument). So by this reasoning, apache should have as many worms as IIS. But, as far as I can remember, there have only been two Apache worms. Neither of which btw were as crippling as any IIS worm. In fact, I was running multiple apache servers at the time of both of them and got neither one. What about Oracle? IIRC Oracle has a larger market share than sql server. Do we know of any RDBMS worms as devistating as slammer?
Microsoft still isn't taking security seriously. Although this virus requires user interaction, Microsoft shouldn't make it so easy to execute content. Hell, content can be executed just by looking at the preview pane in outlook. Check out the story over in developers. MS decided instead of fixing the url spoofing bug that phishers have been using since december, they are just going to not allow urls with an @ sign in them.
Then you've got your idiots over at security focus, such as Tim Mullen (who is a security consultant for MS btw) who believes security shouldn't be an issue for MS to worry about. It should be the end user who worries about it. It's no wonder they do not take security seriously when you've got people with views like that advising you.
Let's not forget the anti virus companies. Their lively hood is protecting people from virii. Not stoping them, protecting people from them. If we didn't have virii, then the anti virus companies would be out of business.
When you've got all this political bullshit swirling around the only one that loses is the end user. The one who bought their computer to enhance their life. To get onto the internet and reasearch car safety because their teenager is about to drive. Or the grandma who wants to recieve pictures from her grand children. Or the first time user that gets a virus within 15 minutes of plugging in their new computer, ensuring they will probably hate it from that point on.
The notion that ordinary users should pay to have virus protection seems rather antiquated in this age of mass mailing worms etc that have more effect on businesses than homes.
I personally use a great freeware antivirus program from a German company called AntiVir (www.free-av.com), which gives it away for personal use but requires commercial use to have a licence (as a nice aside, it is WAY more efficient that the bloated Norton apps). This makes sense, as it's businesses that keep telling us they're losing millions of dollars when a virus hits them, whereas home users might be inconvenienced for a little while but not seriously affected in most instances.
How about having the government recommend some free antivirus programs, or even require companies to sponsor antivirus companies, since it's in their interests to do so?
Visceral Psyche Films
How much money would it cost, to install - say - Linux on all desktops, and never let any employees use Internet Explorer or Outlook ever again? I think in the long run it would be cheaper than getting hit by a virus every few months...
You don't pay tax over loss in earnings. That should make many managers and accountants *VERY* happy. Now how come you *NEVER* find even a rough estimate of the cost of virusses and worm attacks on the financial balance presentations of *ANY* corporations.
I mean, $48000-58000 for each attack is a lot on the balance of a healthy 400 employee company ($3,000,000 revenue, $100,000 EBITA).
--
I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour -- F. H. Wales (1936)
Where oh where do they get these figures? At my company we have two lines of defense...One is TrendMicro for Exchange and the other is NAV Corporate Edition. Anything that doesn't get stopped at the SMTP server will get picked up by Norton. I figure the two of them combined cost somewhere around $1000-$1500 to cover all of our workstations. Besides that, the only cost the virus is incurring is my time looking over the logs, which basically have been saying the same thing over and over for the last three days. This is a far cry from the $48,000 - $58,000 they say it takes to secure yourself from one teeny little worm virus.
If the virus got in, the cost of fixing it would be based on the method of removal, how many computers got infected, and what the downtime costs our business. These are three variables that certainly can't be guessed. Something tells me they just pick out numbers that are big enough to impress the media and small enough to avoid losing whatever credibility they have left.
-R
Comment removed based on user account deletion
I work for a small computer service company in the .25-.75 hours per machine to disinfect .25 hour to load new AV software per machine, download updates for program and signatures, etc...
Detroit area. We get typically $149/hour for operating systems/software support. Given the case of a small company with 20 workstations and a server for their employees to use that has nothing in place for virus protection, and that most, if not all machines have become infected, figure this:
Figures to 21 hours max at $149/hour... $3129 in labor. Norton AV Corporate edition with 25 seat licensing (don't forget, that server is included as a seat, and you can only buy in 5, 10 and 25 seat increments) costs $869.00 per Symantec's website. With the 30% markup my employer would add and state sales tax added, that comes to software costs of $4326.48.
Figure in any additional labor to reinstall any software or operating system components that were damaged by the infection and you've got one whopper of a bill for a small business to drop because a multibillion-dollar corporation cannot spend the proper amount of money and time to thoroughly investigate and secure their operating system products. Then figure in the cost of annual subscription fees to download updates to the virus updates (I don't recall the actual figures for annual subscription fees, but my sister's company has three pc's in a peer-to-peer environment and each machine costs $20 annually for that subscription). Pretty hefty.
Considering that there's a lot of us in the IT sector out of work, Virii can be a godsend. Why? 'Cause, even if it's only for a week or so, we get called by the local contract companies to clean it up. I did a 2 week stint at Honeywell in Phoenix doing just that. I was unemployed when they got hit by whatever virus back in August and got the call to help with it's cleanup. This later turned into a longer contract to help out their PC Techs clean out their ticket backlog caused by the virus; some 2000 or so tickets generated and left untouched during the cleanup. We were out there for a total of 5 weeks.
Stuff like this, large comapnies needing to outsource virus cleanup, is also a major factor to be considered when looking at those numbers. Figuring that the contract companies got an average of $25/hr for each of us and multiply that by the initial order of just over 100 techs for the first 2 weeks of cleanup (Honeywell has numerous, large facilities around Phoenix), and you see just how much money these things can cost a company.
Fifty watts per channel, baby cakes.
I tought my grandmother to use a computer. She, like other old people, has some difficulty using it but opening e-mails is not a big deal. She just clicks on a message and reads it. She even learned to send messages herself and was very proud of this.
But this time she got in trouble. I don't know how - maybe antivirus software was disabled or something else but MyDoom infected her computer. Yes, it was Windows. I actually don't have much time to install software for my family members and just bought a second hand computer with Windows and everything and gave it to her to use. Now I think I will take some time to wipe it out and install Linux instead.
It is a psychology of inept users to click on things. It cannot be changed, at least not easily. There will always be some grandma or some office clerk who will click and execute attachment regardless how many warnings will be there. That is the biggest security problem with Windows systems - the files are always executable by default. It is different in Linux. To run the script it requires to set executable attribute first. Who needs to execute attached file anyway?
The security which does not take into account user psychology is worthless. I predict that there will be more viruses like MyDoom in the future as there were in the past. The whole Windows architecture is broken with regard to user interaction and it cannot be easily fixed.
--
I'm the sysadmin for a small ISP. Here's our rough figures:
New mail server, bought last February: $2500
FreeBSD 4.8: $0.
Qmail: $0.
Vpopmail: $0.
qmail-scanner: $0.
Spamassassin: $0.
F-prot antivirus for unix file servers: $400/year/server.
My time*: $3000.
Moving from sendmail to qmail and watching sendmail admins patching: priceless.
Moving from sendmail to qmail and watching server load averages go from 20 to 0.02: priceless.
Adding on spamassassin server wide and watching server load averages go from 0.02 to 3.0: well, it's still better than sendmail was.
Watching the server eat 30,000 viruses a day during the MyDoom attack after months of hard work: totally righteous.
There are some things money can't buy. For everything else, there's my Boss' Mastercard. Accepted in places where Open Source Software impresses geeks like me.
* I'd never before used any of the software listed above. It took a while to learn it all in between tech support calls.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
It's difficuilt to say how much exactly does a business loose, how much they report lost to IRS(US Taxation). However a couple of "factoid" opinions can be formulated. A. Exposure/non-exposure is not guaranteed, sometimes even the best protected business will have virii/malware walked in via laptops and vpn's. B. The bigger the beuracracy the greater the cost, the less flexible the business and the more teirs in their chain of command the more stops on the way to a cure and the more junk left behind by people who are "willing to take the risk", "do not need to replace this in this fiscal quarter", "downsize systems administrators", "Microsoft and Cisco are the only way to go", "We're not supporting more than one operating system here!". C. Administrativa does not replace security. You can tell a user not to do something a thousand times just to see them do it again. This includes policies such as "do not bring your laptops/data/crap" from home and plug it in to the corporate LAN, "don't run AOL, etc...", do not install Corp VPN client on your home computer without a firewall. D. Antivirus software is most likely allready present in most corporate and home setups (unless in dark ages) and hence it's the failure of this technology that causes outbreaks. E. The larger the warehouse of administrative/clerical/non-technology workers using Windows(tm)/Office(tm) the greater the chance for an all-out systems down. Esp. if this cubicle field is adjescent to a Windows NT/2000(tm) server room with Microsoft Certified Systems Engineers (MCSE) running the show, shaparoned by a Microsoft Certified IT Manager (MCIM) who reports to a Microsoft Certified Cheif Information Officer (MCCIO)(tm). (but I digress) F. The less able the business to do business without computers the greater the cost. eg. All systems down in a Used Car lot means they cannot print contracts or run computer based credit/load check, however paper still works great. All systems down in a Webhosting company is an immediate loss, followed by a long-term customer loss which can reflect directly into dollars. That all being said, I think the numbers are BULL****! BULL****! BULL****! They are brought to you by the same people who slap those "Information Security Incidents may cost this business $10000000000000000 per incident" posters near the water cooler. Scary enough though people get convicted for crimes under the same "public scare" principle though.
The cost is not just money spent on Antiviral products. These are available for free but most companies would rather pay a little extra and get support for the product. All software causes problems of one kind or another, might as well pay upfront for the solution.
.exe messages will not help. Most workers will have no idea how there computer works. You might as well fire them for not being able to tune the breakroom TV. A better policy of blocking mail and scanning it would help. But that takes a skilled IT dept, who will be better payed at a larger company.
The extra costs come from lost time. Some that is very hard to measure. 400 person companies will not have a large helpdesk or IT staff. They are caught in a situation where a large staff is not needed normally, but the existing staff is too small to handle a big problem. So when a large problem does arrise the few staff are overworked and it takes a long time to fix, hence the lost money.
Large companies have large support staffs, smaller companies can be fixed relatively rapidly. Those caught in the middle get screwed.
Firing staff for opening
Actually, it really *is* possible to get your costs down to an insignificant level in a small business.
.exe, .scr, .pif, and the like. No virus coming in, and it generally buys enough time until the anti-virus software can be updated. Cost? Free. Setup time? Less than half an hour, and lasts indefinitely.
.zip attachments, which can get past the email server filter, so it will be interesting to see what happens; but, I suspect not much.
Firstly, my email server bounces all emails with attachments like
Secondly, I have Symantec Antivirus Corporate Edition installed on a server and on all client workstations. It automatically downloads new updates every week. Ok, there was an initial cost to the program, I think $3,000; I haven't bought updates for a few years because it still works great. Why fix what ain't broke? There is the initial setup time, which is 5 minutes per machine, but once it's set up, I've never had to fiddle with it again. Cost plus my time? Realistically, it can be distributed over a three to four year time period, so maybe $600 a year?
This latest virus does do some
I used to work at a company that does storage and fulfillment for Toyota Motor Manufacturing. They have a contract that says for every hour they can't deliver product, they owe Toyota $100,000. So if a virus were to knock them offline for a 5 hour period, they would lose $500,000 on fines alone.
In other words, they "can't live without" the scheduling, etc. that Outlook and Exchange provides.
Mozilla Mail doesn't provide the scheduling- and even if it did, it's not integrated into the framework like Outlook's is. Same goes for Pegasus Mail, Eudora, and any of the other programs out there.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
the "smoke breaks" are something different tho. while the employees may not be working during that time, they are relaxing (and possibly discussing current projects they're working on). when you let your employees work in a more comfortable environment, stress is reduced and (theoretically) they will be more productive. take it to extreme, half a day taking smoke, coffee, lunch, bathroom breaks, half a day of very relaxed work. or the other extreme of having no breaks except absolutly-required-bladder-about-to-burst breaks, and you have an environment where no one wants to do anything except their exact job description, for fear that they will be viewed as unproductive and not be chosen for a raise, or worse, be on top of the list to be eliminated.
ok, kinda off the virus topic, and i'm not really in the big world work force yet, only 18 (19 on feb 2!), and im sitting in my college dorm room, but hey, im bored.
insert generic