Tell them that every time they click on that thing, it costs $1000
to disinfect the LAN and keep the firewall up to date.
Sean quoted some numbers sometime ago for 'average cost of virus outbreak
per enterprise' I don't recall the specifics, but they were staggeringly
high... On a whim/notecard lets try this:
1) enterprise network with 10,000 user systems (we'll assume no 'servers'
got/get infected in this ficticous dreamland of an example)
2) 1 user clicks attachment and gets <pick your flavor of email
trojan/virus> which spreads to 50% of the user PC's before action is
started to clean them.
3) assume a 'large' infosec/helpdesk group: 20 people
4) assume average cost per sec/help employee at 100,000/yr (including
benefits+OT for this incident)
5) assume all other sec/help work stops to stem the virus flow
6) assume it takes 1 day (complete 14 hour day) to cleanse the bad
machines (5k machines, which is 5000/20/14 = 17.8machines/person/hour or
3.3 mins to clean each machine and move to next machine... 'lightening
7) So for 1 day we tied up 20 people for 14 hours:
100000/1880*8*20 + 100000/1880*6*20*2 = $21276.60
That accounts ONLY for the sec/help people to do their 14 hours/person of
work (assuming 2xnormal OT rate, count that out and its still: $14893.62)
No, keep in mind that during this 14 hours the following other things did
1) 5000 people doing their normal job due to their PC being dead
2) 20 sec/help people NOT doing their normal work
3) 1 exec still happily playing solitaire...
These calculations are 'back of the irc-bot' calculations, and do leave
some things out... for instance server outages due to virus infections,
service outages due to network outages, lost revenue due to service
outages or lack of capacity to manage customer
These events are highly costly, no matter how many times we make this
arguement it's not clear that anyone that should be listening IS
listening. Often the resulting response is: "Well, buy more/better virus
protection software!" (from the same clicker-of-attachments) or "Shouldn't
our AV have caught this?" AV is but one part of the equation, user
education and consequences are some of the other part(s).
Caveat: have yet to actually try this approach, but seems like it would
have a chance at least.
you'd sure think it would, sadly it doesn't seem to...