What's The Actual Cost of A Virus?

ThosLives writes "CNN Money just posted a story that says the MyDoom virus may cost businesses $250M. My favorite quote is that for small to medium businesses with 400 or less employees, the estimate is between $48,000 and $58,000 cost to 'secure themselves' from the particular virus. Does anyone know where that number comes from? If one can charge a year's salary to fix one virus, I'm in the wrong job! Any input out there on the real, hard costs of things such as virus protection?"

Actual Cost of a Virus / SCO

[DarkHelmet]

Let's see...

The cost of securing your mail server from viruses includes...

1. Download of Antivirus for sendmail
2. Installation of said program. (Which is about a day if you factor in moron-ness)
3. Keep new viruses in check.
4. The cost of 400 yellow post-it notes saying "DO NOT OPEN FILE IF EXE OR SCR!" (as a contingency plan.

The total cost of protecting a company from *all* viruses that go to their business accounts runs around $200 maximum.

Any moron who works at a company and opens said attachment should be fired anyway. So in the long run, the company actually *saves* money by all these worms going out.

So that must mean that SCO must be rewarding the MyDoom author for all the extra money they keep from firing morons at their company that open those attachments. Wait... that can't be right...

Re:Actual Cost of a Virus / SCO

[cubicledrone]

Any moron who works at a company and opens said attachment should be fired anyway.

So remember folks: all those years of school, training, reading, getting up at 5:30AM, working your ass off, overtime, weekends, holidays, sitting in meetings, telling your asshole boss how smart he is...

...all reverse vacuumed into the shitpipe because you made one mistake. There's no excuse for being human in an inhuman workplace. Take your parting gifts, pack up your shit and get the fuck out. Time to watch your career get destroyed.

Re:Actual Cost of a Virus / SCO

[PowerBert]

We use MailScanner which can work with Sendmail or exim and it supports many different AV programs.
It doesn't just do viruses though, it can run Spam checks (with or without the help of spamassassin), Filter out (and remove) dangerous HTML, filter/remove file attachments and has lots of other useful features.

Definately worth checking out.

Re:Actual Cost of a Virus / SCO

[gujo-odori]

That's not even close to the cost, even if you work very, very cheaply.

The cost of anti-virus and related is the least part of the equation, even factoring in the admin's time, and I don't care *how* cheaply you work. Not even if you're a volunteer.

The real cost is factored more like this:

- Staff hours that are lost looking at false bounces (or worse, getting infected, something which is very common) and having to correct that

- Helpdesk hours that are lost answering questions from people with a mailbox full of bounces for stuff they didn't send (or we hope not);

- Helpdesk hours that are lost disinfecting the
machines of all those who clicked the attachment. Mostly, the same ones who fell for it last time, too.

- Sysadmin hours that may be spent on watching over stressed mail queues to make sure they don't get full, and dealing with potential mail backlogs.

Those are three broad areas, I'm sure the accounting department could tell me a bunch more of their favorites.

Let's say you make $20 per hour at your job. The cost of your benefits is probably also about $20 hour, assuming health insurance, etc. Heck, it could be more. But lets go with $40/hour as the total cost of your compensation for this example.

Now, let's say you lost 30 minutes of productivity to a worm. OK, $20 bucks that your company spent on having you do something other than your job function. But, you're way smarter than most of your colleagues. You didn't click it. You've just wasted 30 minutes initially looking at what it was, deleting more copies that came in, and deleting bounces, and you ever even called the help desk. Most people are probably at one hour, maybe more. Lots more, if they got
infected.

If by some chance it works out that the average cost of compensation (salary + benefits) in your company is $40/hour, and you have 100 employees and on average each person lost 30 minutes to the worm (again, I bet it's hard to get the number that low in most companies when a big wrom like this appears), that's $2000 right there. Antivirus software is not even factored in because you either had it already or not, but either way, it's not a directly related expense.

OK, that was the first day. People will deal with more crap in their mailboxes tomorrow, and the day after and quite a few days after. At least for a week, you might expect to have a company-wide average of 30 minutes per person, per day, spent on things related to the worm.
Now we're at $10,000.

This all assumes that no data was damaged or destroyed (if it was, the monetary value of that data, if irreplaceable, is charged. For replaceable data, the cost of an admin restoring it is charged).

And don't think your average will probably be that low. If a lot of people get infected, your helpdesk staff and sysadmin staff will probably be spending the majority of their time on this problem for at least a week. In a typical 100-person company with a Windows machine on every desk, you may be really lucky to get away with $10,000 chargeable to the worm.

I work for a well-known mail filtering company, and I'm getting a front-row seat for the impact this is having. It's large, even for companies that have our services. If you have tens of thousands of employeeds, you're going to see a lot of bounces coming in, and those divert staff time to deal with them.

Now, imagine you have tens of thousands of employees and you're not using a service like ours. You're going it alone. Your admins. Your equipment. Your anti-virus software which you hope gets the new signatures before the worm gets to you. Your admins and helpdesk staff are working their butts off for at least a week, probably more (not that they weren't already busy). You might have hundreds or even thousands of infected machines to deal with. Countless bounces. Suddenly, you find yourself looking at a cost reaching into the hundreds of thousands of dollars. Not a pretty sight.

While

Re:Actual Cost of a Virus / SCO

[Snad]

The cost of 400 yellow post-it notes saying "DO NOT OPEN FILE IF EXE OR SCR!"

You don't even need this one. Just strip all incoming executables at the mail server so the user never gets anything dangerous to click on.

We did that (at an admittedly small - just under 100 user) site using MailMarshal, now known as NetIQ Marshal.

There's never any good reason to send an executable file via e-mail anyway. Software updates etc are better accessed through ftp or straight off the web. Self extracting archives (zip files) are unnecessary given the number of free decompressors available if the company is too cheap to pay for licenses.

Blocking all (Windows) executables is easy in most filtering software, removes the worry of not being up to date with anti-virus library files, and works 100% of the time.

This was back in the days of the good old Anna Kournikova, ILoveYou and similar viruses. We had exactly zero infections, and zero problems.

Yes you can still get viruses in other ways (if some damn fool downloads a virus direct from a website) but how often does that actually happen? They all come via e-mail, and propagate via e-mail - be it your server or their own SMTP connection.

Re:Actual Cost of a Virus / SCO

[Alioth]

A better thing is to simply reject all emails with attachments, except for very specific ones on your allow-list that are known safe (for example, .jpg). This way, even if you get a virus that your virus scanner doesn't yet recognise - it gets rejected. There are other methods of sending files that don't require email.

As for anyone who opens attachments, it's fine to say that when you've got at least reasonably computer savvy users. However, many small companies have one computer 'expert' (which may be the boss's son) and a computer illiterate workforce who knows how to type a letter in Word and send an email. They don't know what EXE or SCR is and are unlikely to remember. They might be fabulous truck drivers on the other hand, who've never had a wreck and who always get their vehicle to where it's going on time. Why fire them for a mistake in something they have little knowledge about?

Re: Actual Cost of a Virus / SCO

[Black+Parrot]

> So remember folks: all those years of school, training, reading, getting up at 5:30AM, working your ass off, overtime, weekends, holidays, sitting in meetings, telling your asshole boss how smart he is...

> ...all reverse vacuumed into the shitpipe because you made one mistake. There's no excuse for being human in an inhuman workplace. Take your parting gifts, pack up your shit and get the fuck out. Time to watch your career get destroyed.

You're talking to the CIO that moved the company to Microsoft products, right?

Re:Actual Cost of a Virus / SCO

[thesupraman]

Well, lets see.

I provide consultance and external admin to a 'mid sized company' who got hit by this in the last couple of days. This is a company with around 50 on-site employees and an anual turnover in the region of $40 Million.

My filters let through two instances of the virus before they automatically updated their defs.
One went to a windows machine and infected it.
One went to a mac, and did not.
None of around 7 internal Linux servers were affected of course.

I knew very quickly which machine had an infection, as it was trying to send more viruses via the smtp server (which was by then blocking them) - we are not NEARLY stupid enough to give employees direct internet access via NAT!.

I blocked the access to the smtp server for that single machine (didn't even need to track down who it was) and they called me about 30 minutes later, when they next tried to send an email, letting me know who they were.

I asked them to download and run the cleaner program, which they did, so I re-enabled them. Their machine made no further attempts, so I suspect it is fine.

I also installed another layer of virus scanning just for the hell of it, and re-tuned their anti-spam setup with the latest versions.
(clamav, http://www.clamav.net)

Total cost to them:
2 hours of my time at $60US/hour.
1 hour of employees time (overestimating here), say $60US/hour.

A moderate amount of traffic on their link (we are blocking around 1/minute at present for this virus, but it is dying pretty fast) - they pay a fixed link cost, so don't really care.

So there we go - lets call it $200US total cost, and they got some usefull systems updated as part of that.

I didn't even have to leaave my home office.

So, your point was?

Re:Actual Cost of a Virus / SCO

[Nogami_Saeko]

The real reason for the inflated damage estimates is that it sounds impressive in the media, which generates FUD, which generates more viewers, which sells advertising space.

If a virus came out and the news reported it as causing "a few thousand dollars of damage across north america", would anyone give a damn? So the news directors and reporters try and figure out a more "interesting" damage estimate that they can broadcast. So, pump up those numbers! The virus caused $250 MILLION OF DAMAGES, suddenly sounds impressive and formidable.

It has about as much bearing as when the RIAA sues people for tens or hundreds of millions of dollars because "the song they had shared 'could' have been sent to everyone on the planet, thus depriving the record company of any profits whatsoever".

The reality is that in the office I work for, one person clicked on the attachment and got their machine infected. He continued working as normal and called the IT guys who came around and fixed it.

Total lost productivity time? A 30 second phone call. Total lost revenue? $0.

Compared to people just plain ol' "slacking on the job", viruses do a negligable amount of damage.

Funny how you never hear about the '$50 billion in lost revenue' from employees taking three 15-minute "smoke breaks" every day.

Re:Actual Cost of a Virus / SCO

[Twylite]

Your costs need a little inflating ;) Add the following:

• It tends to cost a company three times your salary to employ you (including office space, equipment, salary and benefits, etc). That's closer to $120 per hour for your hypothetical worker.
• Losing 1/2 hour productivity means paying out $120 without getting in the minimum of $150 the company should be trying to make out of your time. This means an actual cost of $120, but an economic cost of $270, per employee.
• Annual subscription to a commercial desktop antivirus: $25 per employee. Without this you have no hope of cost-effectively containing a virus that hits you before there is a patch for the mail/file server anti-virus. Add extra for commercial products with easy-to-use remote administration for all those end-user desktops; and even more for network admin time if there is no remote administration.
• Any company that has to take down their mail server due to volumes generated by a worm (and it happens a lot), and that is reliant on e-mail for internal communication (also very common), can write off $270 per employee per hour that the server is down. That's up to $27000 per hour in a 100-person company. Ouch.
• Now image a multinational with +2500 employees that has to take all their mail servers offline for 36 hours to clean up. It's happened. It's expensive.

Re:Actual Cost of a Virus / SCO

[ozric99]

I work for a well-known mail filtering company, and I'm getting a front-row seat for the impact this is having. It's large, even for companies that have our services.

Now, imagine you have tens of thousands of employees and you're not using a service like ours. You're going it alone. Your admins. Your equipment. Your anti-virus software which you hope gets the new signatures before the worm gets to you. Your admins and helpdesk staff are working their butts off for at least a week, probably more (not that they weren't already busy). You might have hundreds or even thousands of infected machines to deal with. Countless bounces. Suddenly, you find yourself looking at a cost reaching into the hundreds of thousands of dollars. Not a pretty sight.

Nice advert for your services, you forgot the URL ;)

I work in a 100% NT4 desktop corp environment (our admins, our equipment) and we have around 40,000 users on various domains. We use Exchange and Outlook. Wanna know how many of these "deadly" worms we've had infect our systems in the last 3 years I've been working there? None

There's nothing inherently deadly about MS stuff in a corp environment as long as your admins and engineers are worth the money they're paid. Frankly I welcome hearing how much cash companies are supposedly losing with this - let it be a kick up the backside. :)

Re:Actual Cost of a Virus / SCO

[TygerFish]

Actually, the guys you call 'morons' are just average people with respect to your chosen field of endeavor.

They're not geeks and calling them morons on the basis of their not understanding computers is like calling someone a moron for not being a great chef, a gifted pianist, a brilliant chess-player, or an insightful auto-mechanic.

Ceteris paribus, knowing nothing else about the poor schmuck panicking with his hot little hand on the mouse button, the word makes no sense. In fact, it may very well say more about the person who needs to reach for it than it does about the one to whom it's applied.

Re:Actual Cost of a Virus / SCO

[prandal]

Once a day is not enough! (I wish!)

When the orginal MyDoom.A came out, we were catching them with ClamAV 5 hours before McAfee's patters came out. A similar thing with MyDoom.B.

Update your patterns hourly, as a minimum.

Even that's not enough with a mass vectored attack in which thousands of compromised PCs used to distribute a new virus at the same time.

Antivirus vendors are going to have to rethink.

We need rapid responses to newly detected viruses.

Waiting hours for updated detection patterns isn't good enough, or soon won't be.

Don't Forget Bandwidth

[DotNM]

Another thing that's expensive and not to be forgotten is the bandwidth of sending all this crap spam. Why should the recipient of these messages bear the costs of the bandwidth essentially wasted because of these messages.

Why do you care?

[ObviousGuy]

This is one of those hand-waving statistics that is useful for showing the business leaders, but it's practically useless in day to day network protection.

These numbers used to be in the billions of dollars, but now they are more reasonable in the millions. If anything, it shows a trend in the perception of the value of data in a downwards direction. Everyone thinks data is some really important thing which should have a high value, but as more and more data is brought into the open (including, but not limited to, source code) the value of data drops.

Wasted time!

[Gavin+Rogers]

The biggest cost of these sort of virus is time.

Time waiting for your 'net link to do what you've paid for it to do while your email server chokes on hundreds of incoming virus emails.

Time wasted by tech staff explaining to every user at least once to not click that file (or if the organisation has virus scanning) to ignore the ten dozen "virus has been nuked" warning emails.

Time wasted by staff who have to spend time ignoring this junk, replying to warnings about the thing from their naieve friends and family emailing then CNN URLs and saying, "is this for real?"

Time wasted making sure the company virus protection is up to date on laptop machines that get infected at home on 'raw' Internet connections then get plugged into the pristine corporate network in the morning. Time wasted fixing machine that weren't caught in time.

This sort of cost really adds up...

Re:Wasted time!

[tanveer1979]

The biggest cost of these sort of virus is time.

Umm, that means slashdot is more dangerous than all these virus! :)

do your math: it'd only be 5000 small businesses

Do your math: you say between $48K and $58K per small biz, so let's take a lowly $50K average. The sum is supposed to be $250M, which is only 5000 times those $50K.

are there only 5000 small businesses out there?
i think not.
So those $48K to $58K must certainly be understood as a "worst case" figure applying only to a fraction of businesses out there

The Numbers

[RetiefUnwound]

Probably came from a 'Network Security Consultant', not a network engineer. The cost of course includes the hours billed by the consultant, who advises you on how to 'secure' your network.

Remember, a consultant is someone who'll steal your watch, then make you pay them to tell you the time.

As long as you are not infected

[a.koepke]

If you get infected you have the cost of fixing the computers, downtime and lost productivity, loss of earnings, etc. All of this can up to many thousands of dollars.

The company I work for has not become infected, the only cost of the virus is stupid bounce back messages and an hour of my time fine-tuning our mail server config. Due to this the virus has cost us something, but its hardly worth mentioning.

The cost of having a good anti-virus system is really easy to justify.

Inflated costs AGAIN - that trick never works

[dbIII]

These things get blown out of proportion to feed egos.

One good example is in the Bruce Sterling non-fiction book "The Hacker Crackdown" - which can also be read online. To sum up, the financial cost of get a paticular document taken from a mainframe was given as the total cost of the mainframe, a terminal and the salaries of a bunch of people going up the heirachy from the person who wrote the document, for far longer than that person actually spent working on that document (ie. paying for someone to write it at the rate of a few words a day, someone else to stand behind then and look over their shoulder for days, someone behind them etc). The defence proposed that the actual worth of the document was the few bucks plus postage that other people paid for it when they ordered it from the company over the phone.

Opportunity costs are difficult to calculate, one missed email and you could have been a contender - on the way to fame and fortune - but it's more likely that the email is just spam.

This is harsh, but it needs to be said

[ajs318]

Well, Mandrake Linux fits on three CDs, so I'd say the cost of securing a business against virus attacks is about 75p.

The reason why so many attacks are against Windows is that Windows is usable by complete morons -- and, as an inevitable result, you get complete morons using it. Yes, we all know GNU/Linux requires a little tech savvy. You don't get smart enough to use GNU/Linux without first learning that running just any old programme when you don't have the faintest idea what it does, is a bloody stupid thing to do. On the other hand, any living advertisement for the pro-choice movement can fire up Windows XP and get their computer riddled with malware in a twinkling. Why? Because Windows is too easy to use.

It's a perfect illustration of reverse evolution in action. You try to make something idiot-proof, then nature only goes and comes out with a dafter idiot.

You could never make a car that a five-year-old could drive safely -- and even if you could, it would necessarily lack so much functionality it would barely be usable. Really, there's no point trying -- it's better to issue full driving licences only to adults and only on completion of a test. And then we don't have to suffer the consequences of cars that would be driveable by five-year-olds.

The very fact that GNU/Linux naturally weeds out complete retards probably explains why there are not -- and will never be -- as many GNU/Linux exploits as there are Windows exploits.

Re:This is harsh, but it needs to be said

[blincoln]

I know this may come as a shock, but there are plenty of careers where computers are a tool, not an end in and of themselves.

I work in IT for a large retailer in the US. Most of our non-IT people are paid well because they sell lots of merchandise to customers and keep them coming back. People who are good at that tend *not* to have the time to learn how to use something like Linux.

I used to have a similar sort of superior attitude about the vast majority of people out there who don't understand computer issues in any sort of detail. Then I started noticing how irritating it was when people who were specialized in other fields - e.g. medicine, car mechanics - did the same thing to me.

I can understand giving someone a bit of trouble if they're clueless *and* work in a tech-related field, but not if they just use computers as a tool for getting something else done.

Do you honestly know how to disassemble and repair your car and home appliances, or perform surgery? My body gets more use than my home or work PCs by default, but I can't perform more than basic repairs on it. Does that make me a moron? No, it just means that I do something else for a living.

Re:This is harsh, but it needs to be said

[blincoln]

In fact, I just had a vivid image of a doctor visiting a bunch of children in Iraq who'd lost limbs from playing with those cluster bombs that look like food packets and saying "You did what? Don't you retards know not to open unfamiliar packages?"

See how petty and insulting it sounds when it's in relation to another line of work? That's how the "dumb user" attitude makes tech workers look to people in other fields.

Re:This is harsh, but it needs to be said

[fizbin]

I know this may come as a shock, but there are plenty of careers where computers are a tool, not an end in and of themselves.

And this may come as a shock - although I can't perform basic repairs on my car, and no one expects me to be able to, when I use my car as a tool to get me to and from my job, I am still held responsible for basic user cluefullness. I am expected to pay attention to all of my actions while using this tool, and no one thinks that it should be otherwise.

That's all the poster asked for - he doesn't ask for people to be able to fix a bug in one of their init scripts. He doesn't even ask for the minimum of skills I would expect for a specifically technical job. He just asks that people not step on the accelerator when an interesting brick wall appears in front of them.

Obviously, the consequences of being clueless with your computer are nowhere near the consequences of being similarly clueless with your car. However, the idea that you can be held responsible for paying attention to those actions you do perform is not unthinkable. Simply being aware of what you're doing should not be too much to ask.

Re:+1 Funny Because It's True

[bangular]

The argument I hear the most, without a doubt "Windows gets more viruii because it's more popular". I call bullshit! I know it's bullshit because of Apache. Apache, by almost any web server survey, has at least as many servers as IIS (netcraft says between 2x and 3x, but let's say just as many for sake of argument). So by this reasoning, apache should have as many worms as IIS. But, as far as I can remember, there have only been two Apache worms. Neither of which btw were as crippling as any IIS worm. In fact, I was running multiple apache servers at the time of both of them and got neither one. What about Oracle? IIRC Oracle has a larger market share than sql server. Do we know of any RDBMS worms as devistating as slammer?


Microsoft still isn't taking security seriously. Although this virus requires user interaction, Microsoft shouldn't make it so easy to execute content. Hell, content can be executed just by looking at the preview pane in outlook. Check out the story over in developers. MS decided instead of fixing the url spoofing bug that phishers have been using since december, they are just going to not allow urls with an @ sign in them.


Then you've got your idiots over at security focus, such as Tim Mullen (who is a security consultant for MS btw) who believes security shouldn't be an issue for MS to worry about. It should be the end user who worries about it. It's no wonder they do not take security seriously when you've got people with views like that advising you.


Let's not forget the anti virus companies. Their lively hood is protecting people from virii. Not stoping them, protecting people from them. If we didn't have virii, then the anti virus companies would be out of business.



When you've got all this political bullshit swirling around the only one that loses is the end user. The one who bought their computer to enhance their life. To get onto the internet and reasearch car safety because their teenager is about to drive. Or the grandma who wants to recieve pictures from her grand children. Or the first time user that gets a virus within 15 minutes of plugging in their new computer, ensuring they will probably hate it from that point on.

Virus attacks keeps SOME folks in a job...

[logicassasin]

Considering that there's a lot of us in the IT sector out of work, Virii can be a godsend. Why? 'Cause, even if it's only for a week or so, we get called by the local contract companies to clean it up. I did a 2 week stint at Honeywell in Phoenix doing just that. I was unemployed when they got hit by whatever virus back in August and got the call to help with it's cleanup. This later turned into a longer contract to help out their PC Techs clean out their ticket backlog caused by the virus; some 2000 or so tickets generated and left untouched during the cleanup. We were out there for a total of 5 weeks.

Stuff like this, large comapnies needing to outsource virus cleanup, is also a major factor to be considered when looking at those numbers. Figuring that the contract companies got an average of $25/hr for each of us and multiply that by the initial order of just over 100 techs for the first 2 weeks of cleanup (Honeywell has numerous, large facilities around Phoenix), and you see just how much money these things can cost a company.

Total cost of MyDoom virus at my work.

[edunbar93]

I'm the sysadmin for a small ISP. Here's our rough figures:

New mail server, bought last February: $2500
FreeBSD 4.8: $0.
Qmail: $0.
Vpopmail: $0.
qmail-scanner: $0.
Spamassassin: $0.
F-prot antivirus for unix file servers: $400/year/server.
My time*: $3000.
Moving from sendmail to qmail and watching sendmail admins patching: priceless.
Moving from sendmail to qmail and watching server load averages go from 20 to 0.02: priceless.
Adding on spamassassin server wide and watching server load averages go from 0.02 to 3.0: well, it's still better than sendmail was.
Watching the server eat 30,000 viruses a day during the MyDoom attack after months of hard work: totally righteous.

There are some things money can't buy. For everything else, there's my Boss' Mastercard. Accepted in places where Open Source Software impresses geeks like me.

* I'd never before used any of the software listed above. It took a while to learn it all in between tech support calls.

Potential Loss

[div_2n]

I used to work at a company that does storage and fulfillment for Toyota Motor Manufacturing. They have a contract that says for every hour they can't deliver product, they owe Toyota $100,000. So if a virus were to knock them offline for a 5 hour period, they would lose $500,000 on fines alone.