What's The Actual Cost of A Virus?

ThosLives writes "CNN Money just posted a story that says the MyDoom virus may cost businesses $250M. My favorite quote is that for small to medium businesses with 400 or less employees, the estimate is between $48,000 and $58,000 cost to 'secure themselves' from the particular virus. Does anyone know where that number comes from? If one can charge a year's salary to fix one virus, I'm in the wrong job! Any input out there on the real, hard costs of things such as virus protection?"

Actual Cost of a Virus / SCO

[DarkHelmet]

Let's see...

The cost of securing your mail server from viruses includes...

1. Download of Antivirus for sendmail
2. Installation of said program. (Which is about a day if you factor in moron-ness)
3. Keep new viruses in check.
4. The cost of 400 yellow post-it notes saying "DO NOT OPEN FILE IF EXE OR SCR!" (as a contingency plan.

The total cost of protecting a company from *all* viruses that go to their business accounts runs around $200 maximum.

Any moron who works at a company and opens said attachment should be fired anyway. So in the long run, the company actually *saves* money by all these worms going out.

So that must mean that SCO must be rewarding the MyDoom author for all the extra money they keep from firing morons at their company that open those attachments. Wait... that can't be right...

Re:Actual Cost of a Virus / SCO

[cubicledrone]

Any moron who works at a company and opens said attachment should be fired anyway.

So remember folks: all those years of school, training, reading, getting up at 5:30AM, working your ass off, overtime, weekends, holidays, sitting in meetings, telling your asshole boss how smart he is...

...all reverse vacuumed into the shitpipe because you made one mistake. There's no excuse for being human in an inhuman workplace. Take your parting gifts, pack up your shit and get the fuck out. Time to watch your career get destroyed.

Re:Actual Cost of a Virus / SCO

[PowerBert]

We use MailScanner which can work with Sendmail or exim and it supports many different AV programs.
It doesn't just do viruses though, it can run Spam checks (with or without the help of spamassassin), Filter out (and remove) dangerous HTML, filter/remove file attachments and has lots of other useful features.

Definately worth checking out.

Re:Actual Cost of a Virus / SCO

[gujo-odori]

That's not even close to the cost, even if you work very, very cheaply.

The cost of anti-virus and related is the least part of the equation, even factoring in the admin's time, and I don't care *how* cheaply you work. Not even if you're a volunteer.

The real cost is factored more like this:

- Staff hours that are lost looking at false bounces (or worse, getting infected, something which is very common) and having to correct that

- Helpdesk hours that are lost answering questions from people with a mailbox full of bounces for stuff they didn't send (or we hope not);

- Helpdesk hours that are lost disinfecting the
machines of all those who clicked the attachment. Mostly, the same ones who fell for it last time, too.

- Sysadmin hours that may be spent on watching over stressed mail queues to make sure they don't get full, and dealing with potential mail backlogs.

Those are three broad areas, I'm sure the accounting department could tell me a bunch more of their favorites.

Let's say you make $20 per hour at your job. The cost of your benefits is probably also about $20 hour, assuming health insurance, etc. Heck, it could be more. But lets go with $40/hour as the total cost of your compensation for this example.

Now, let's say you lost 30 minutes of productivity to a worm. OK, $20 bucks that your company spent on having you do something other than your job function. But, you're way smarter than most of your colleagues. You didn't click it. You've just wasted 30 minutes initially looking at what it was, deleting more copies that came in, and deleting bounces, and you ever even called the help desk. Most people are probably at one hour, maybe more. Lots more, if they got
infected.

If by some chance it works out that the average cost of compensation (salary + benefits) in your company is $40/hour, and you have 100 employees and on average each person lost 30 minutes to the worm (again, I bet it's hard to get the number that low in most companies when a big wrom like this appears), that's $2000 right there. Antivirus software is not even factored in because you either had it already or not, but either way, it's not a directly related expense.

OK, that was the first day. People will deal with more crap in their mailboxes tomorrow, and the day after and quite a few days after. At least for a week, you might expect to have a company-wide average of 30 minutes per person, per day, spent on things related to the worm.
Now we're at $10,000.

This all assumes that no data was damaged or destroyed (if it was, the monetary value of that data, if irreplaceable, is charged. For replaceable data, the cost of an admin restoring it is charged).

And don't think your average will probably be that low. If a lot of people get infected, your helpdesk staff and sysadmin staff will probably be spending the majority of their time on this problem for at least a week. In a typical 100-person company with a Windows machine on every desk, you may be really lucky to get away with $10,000 chargeable to the worm.

I work for a well-known mail filtering company, and I'm getting a front-row seat for the impact this is having. It's large, even for companies that have our services. If you have tens of thousands of employeeds, you're going to see a lot of bounces coming in, and those divert staff time to deal with them.

Now, imagine you have tens of thousands of employees and you're not using a service like ours. You're going it alone. Your admins. Your equipment. Your anti-virus software which you hope gets the new signatures before the worm gets to you. Your admins and helpdesk staff are working their butts off for at least a week, probably more (not that they weren't already busy). You might have hundreds or even thousands of infected machines to deal with. Countless bounces. Suddenly, you find yourself looking at a cost reaching into the hundreds of thousands of dollars. Not a pretty sight.

While

Re:Actual Cost of a Virus / SCO

[Snad]

The cost of 400 yellow post-it notes saying "DO NOT OPEN FILE IF EXE OR SCR!"

You don't even need this one. Just strip all incoming executables at the mail server so the user never gets anything dangerous to click on.

We did that (at an admittedly small - just under 100 user) site using MailMarshal, now known as NetIQ Marshal.

There's never any good reason to send an executable file via e-mail anyway. Software updates etc are better accessed through ftp or straight off the web. Self extracting archives (zip files) are unnecessary given the number of free decompressors available if the company is too cheap to pay for licenses.

Blocking all (Windows) executables is easy in most filtering software, removes the worry of not being up to date with anti-virus library files, and works 100% of the time.

This was back in the days of the good old Anna Kournikova, ILoveYou and similar viruses. We had exactly zero infections, and zero problems.

Yes you can still get viruses in other ways (if some damn fool downloads a virus direct from a website) but how often does that actually happen? They all come via e-mail, and propagate via e-mail - be it your server or their own SMTP connection.

Re: Actual Cost of a Virus / SCO

[Black+Parrot]

> So remember folks: all those years of school, training, reading, getting up at 5:30AM, working your ass off, overtime, weekends, holidays, sitting in meetings, telling your asshole boss how smart he is...

> ...all reverse vacuumed into the shitpipe because you made one mistake. There's no excuse for being human in an inhuman workplace. Take your parting gifts, pack up your shit and get the fuck out. Time to watch your career get destroyed.

You're talking to the CIO that moved the company to Microsoft products, right?

Re:Actual Cost of a Virus / SCO

[thesupraman]

Well, lets see.

I provide consultance and external admin to a 'mid sized company' who got hit by this in the last couple of days. This is a company with around 50 on-site employees and an anual turnover in the region of $40 Million.

My filters let through two instances of the virus before they automatically updated their defs.
One went to a windows machine and infected it.
One went to a mac, and did not.
None of around 7 internal Linux servers were affected of course.

I knew very quickly which machine had an infection, as it was trying to send more viruses via the smtp server (which was by then blocking them) - we are not NEARLY stupid enough to give employees direct internet access via NAT!.

I blocked the access to the smtp server for that single machine (didn't even need to track down who it was) and they called me about 30 minutes later, when they next tried to send an email, letting me know who they were.

I asked them to download and run the cleaner program, which they did, so I re-enabled them. Their machine made no further attempts, so I suspect it is fine.

I also installed another layer of virus scanning just for the hell of it, and re-tuned their anti-spam setup with the latest versions.
(clamav, http://www.clamav.net)

Total cost to them:
2 hours of my time at $60US/hour.
1 hour of employees time (overestimating here), say $60US/hour.

A moderate amount of traffic on their link (we are blocking around 1/minute at present for this virus, but it is dying pretty fast) - they pay a fixed link cost, so don't really care.

So there we go - lets call it $200US total cost, and they got some usefull systems updated as part of that.

I didn't even have to leaave my home office.

So, your point was?

Re:Actual Cost of a Virus / SCO

[Nogami_Saeko]

The real reason for the inflated damage estimates is that it sounds impressive in the media, which generates FUD, which generates more viewers, which sells advertising space.

If a virus came out and the news reported it as causing "a few thousand dollars of damage across north america", would anyone give a damn? So the news directors and reporters try and figure out a more "interesting" damage estimate that they can broadcast. So, pump up those numbers! The virus caused $250 MILLION OF DAMAGES, suddenly sounds impressive and formidable.

It has about as much bearing as when the RIAA sues people for tens or hundreds of millions of dollars because "the song they had shared 'could' have been sent to everyone on the planet, thus depriving the record company of any profits whatsoever".

The reality is that in the office I work for, one person clicked on the attachment and got their machine infected. He continued working as normal and called the IT guys who came around and fixed it.

Total lost productivity time? A 30 second phone call. Total lost revenue? $0.

Compared to people just plain ol' "slacking on the job", viruses do a negligable amount of damage.

Funny how you never hear about the '$50 billion in lost revenue' from employees taking three 15-minute "smoke breaks" every day.

Re:Actual Cost of a Virus / SCO

[Twylite]

Your costs need a little inflating ;) Add the following:

• It tends to cost a company three times your salary to employ you (including office space, equipment, salary and benefits, etc). That's closer to $120 per hour for your hypothetical worker.
• Losing 1/2 hour productivity means paying out $120 without getting in the minimum of $150 the company should be trying to make out of your time. This means an actual cost of $120, but an economic cost of $270, per employee.
• Annual subscription to a commercial desktop antivirus: $25 per employee. Without this you have no hope of cost-effectively containing a virus that hits you before there is a patch for the mail/file server anti-virus. Add extra for commercial products with easy-to-use remote administration for all those end-user desktops; and even more for network admin time if there is no remote administration.
• Any company that has to take down their mail server due to volumes generated by a worm (and it happens a lot), and that is reliant on e-mail for internal communication (also very common), can write off $270 per employee per hour that the server is down. That's up to $27000 per hour in a 100-person company. Ouch.
• Now image a multinational with +2500 employees that has to take all their mail servers offline for 36 hours to clean up. It's happened. It's expensive.

Don't Forget Bandwidth

[DotNM]

Another thing that's expensive and not to be forgotten is the bandwidth of sending all this crap spam. Why should the recipient of these messages bear the costs of the bandwidth essentially wasted because of these messages.

Wasted time!

[Gavin+Rogers]

The biggest cost of these sort of virus is time.

Time waiting for your 'net link to do what you've paid for it to do while your email server chokes on hundreds of incoming virus emails.

Time wasted by tech staff explaining to every user at least once to not click that file (or if the organisation has virus scanning) to ignore the ten dozen "virus has been nuked" warning emails.

Time wasted by staff who have to spend time ignoring this junk, replying to warnings about the thing from their naieve friends and family emailing then CNN URLs and saying, "is this for real?"

Time wasted making sure the company virus protection is up to date on laptop machines that get infected at home on 'raw' Internet connections then get plugged into the pristine corporate network in the morning. Time wasted fixing machine that weren't caught in time.

This sort of cost really adds up...

do your math: it'd only be 5000 small businesses

Do your math: you say between $48K and $58K per small biz, so let's take a lowly $50K average. The sum is supposed to be $250M, which is only 5000 times those $50K.

are there only 5000 small businesses out there?
i think not.
So those $48K to $58K must certainly be understood as a "worst case" figure applying only to a fraction of businesses out there

This is harsh, but it needs to be said

[ajs318]

Well, Mandrake Linux fits on three CDs, so I'd say the cost of securing a business against virus attacks is about 75p.

The reason why so many attacks are against Windows is that Windows is usable by complete morons -- and, as an inevitable result, you get complete morons using it. Yes, we all know GNU/Linux requires a little tech savvy. You don't get smart enough to use GNU/Linux without first learning that running just any old programme when you don't have the faintest idea what it does, is a bloody stupid thing to do. On the other hand, any living advertisement for the pro-choice movement can fire up Windows XP and get their computer riddled with malware in a twinkling. Why? Because Windows is too easy to use.

It's a perfect illustration of reverse evolution in action. You try to make something idiot-proof, then nature only goes and comes out with a dafter idiot.

You could never make a car that a five-year-old could drive safely -- and even if you could, it would necessarily lack so much functionality it would barely be usable. Really, there's no point trying -- it's better to issue full driving licences only to adults and only on completion of a test. And then we don't have to suffer the consequences of cars that would be driveable by five-year-olds.

The very fact that GNU/Linux naturally weeds out complete retards probably explains why there are not -- and will never be -- as many GNU/Linux exploits as there are Windows exploits.

Re:This is harsh, but it needs to be said

[blincoln]

In fact, I just had a vivid image of a doctor visiting a bunch of children in Iraq who'd lost limbs from playing with those cluster bombs that look like food packets and saying "You did what? Don't you retards know not to open unfamiliar packages?"

See how petty and insulting it sounds when it's in relation to another line of work? That's how the "dumb user" attitude makes tech workers look to people in other fields.

Re:+1 Funny Because It's True

[bangular]

The argument I hear the most, without a doubt "Windows gets more viruii because it's more popular". I call bullshit! I know it's bullshit because of Apache. Apache, by almost any web server survey, has at least as many servers as IIS (netcraft says between 2x and 3x, but let's say just as many for sake of argument). So by this reasoning, apache should have as many worms as IIS. But, as far as I can remember, there have only been two Apache worms. Neither of which btw were as crippling as any IIS worm. In fact, I was running multiple apache servers at the time of both of them and got neither one. What about Oracle? IIRC Oracle has a larger market share than sql server. Do we know of any RDBMS worms as devistating as slammer?


Microsoft still isn't taking security seriously. Although this virus requires user interaction, Microsoft shouldn't make it so easy to execute content. Hell, content can be executed just by looking at the preview pane in outlook. Check out the story over in developers. MS decided instead of fixing the url spoofing bug that phishers have been using since december, they are just going to not allow urls with an @ sign in them.


Then you've got your idiots over at security focus, such as Tim Mullen (who is a security consultant for MS btw) who believes security shouldn't be an issue for MS to worry about. It should be the end user who worries about it. It's no wonder they do not take security seriously when you've got people with views like that advising you.


Let's not forget the anti virus companies. Their lively hood is protecting people from virii. Not stoping them, protecting people from them. If we didn't have virii, then the anti virus companies would be out of business.



When you've got all this political bullshit swirling around the only one that loses is the end user. The one who bought their computer to enhance their life. To get onto the internet and reasearch car safety because their teenager is about to drive. Or the grandma who wants to recieve pictures from her grand children. Or the first time user that gets a virus within 15 minutes of plugging in their new computer, ensuring they will probably hate it from that point on.

Total cost of MyDoom virus at my work.

[edunbar93]

I'm the sysadmin for a small ISP. Here's our rough figures:

New mail server, bought last February: $2500
FreeBSD 4.8: $0.
Qmail: $0.
Vpopmail: $0.
qmail-scanner: $0.
Spamassassin: $0.
F-prot antivirus for unix file servers: $400/year/server.
My time*: $3000.
Moving from sendmail to qmail and watching sendmail admins patching: priceless.
Moving from sendmail to qmail and watching server load averages go from 20 to 0.02: priceless.
Adding on spamassassin server wide and watching server load averages go from 0.02 to 3.0: well, it's still better than sendmail was.
Watching the server eat 30,000 viruses a day during the MyDoom attack after months of hard work: totally righteous.

There are some things money can't buy. For everything else, there's my Boss' Mastercard. Accepted in places where Open Source Software impresses geeks like me.

* I'd never before used any of the software listed above. It took a while to learn it all in between tech support calls.