A study released yesterday by Microsoft doesn't quite tell customers suffering from malware infections that they get what they deserve and should just leave it alone, but it comes darn close.
Zero-day vulnerabilities, viruses, poisoned web sites, Trojan horses, malware and other forms of cyberattack cost companies 56 percent more to deal with during 2011 than during 2010, an average of $5.9 million, according to an August study from Ponemon Institute.
All but a tiny fraction of that cost goes to preventing or recovering from malware infections, the Ponemon study revealed.
The study focuses on malware propagation – how infections move within a population and what causes individual victims to become infected.
Medical epidemiologists do the same thing with human diseases, though talking to an epidemiologist about it in real life is a lot less exciting than the way Hollywood represents them in movies about infections that turn people into Zombies, just for one ripped-from-the-headlines example. There are also plenty of non-zombie epidemiology movies but it's harder to get excited about a disease that doesn't try to eat you after killing all your family and friends.
(I don't know what got me thinking about melodramatic fictional portrayals of apocalyptic panic and disaster, let alone the kind of movie that habitually punishes sexually active teenagers and other examples of the deterioration of society with a horrible fate at the hands of an unspeakable evil. Let's go back to talking about Microsoft.)
Zero-day exploits – flaws in Windows or other software that have just been discovered or for which a patch is not yet available – account for only about one percent of all malware attacks.
Nearly all the rest happen because the mealy-mouthed, weak-willed customer has failed to live up to his or her responsibility by making sure all the patches available for all the software he or she uses are installed immediately, installed correctly and are functioning properly within the machine they operate only at the will and by license from Microsoft, which still owns the software and can take it back at any time, you betcha, especially if you act ungrateful and talk back to it and get all demanding.
Customers are irresponsible and out of luck, not to put too fine a point on it, who don't spend all their time making sure all the patches are installed and that they weren't infected by malware because they continued to work – connected to the Internet – while their patches downloaded and their antivirus was turned off because the patches won't install correctly with the A/V on.
Microsoft wastes little time acknowledging that the coterie of security flaws and outright gaffes in its own products have contributed heftily to the tenuous security position of the average network-connected PC.
It spares few words discussing the promiscuous behavior of its browsers and security software, drivers, databases and an application environment that, until the most recent versions, invited any executable that dropped in to go straight to Ring 0 and do what it liked with whatever it found there.
It made little mention of a flow of patches and updates so heavy it had to cut back to the weekly Patch Tuesday holiday, like Santa Clause reluctantly deciding he could only deliver toys on Christmas, not every night of the year.
It doesn't mention the productivity cost of having both IT people and end users continually downloading, testing, installing and recovering from installation problems involving patches, antivirus and malware.
It points out – quite correctly and with fully detailed research to back up its point – that most malware attacks would not succeed if its customers were more conscientious about the way it maintained Microsoft's software – which it can still take back if you sass it, don't forget.
And this from a company that, even in its newish 'secure' phase patched 22 "consistently exploitable" and two "critical" flaws in IE, Silverlight, .NET and other Windows add-ons so far this month. That's not a lot, is it?
Microsoft only got religion a few years ago, tightening up its security stance by releasing several notable and free antivirus applications and recovery tools and (almost by the way) doing things like changing the default configuration of its products from More Viruses Here, Waiter, to No More For Me, Thanks.
It never quite got used to the idea the stupid behavior of its customers are its responsibility. This study, disguised a little to look as if it is simply focusing on malware propagation methods, retreads ground walked by nearly every security study ever done.
End users, it discovers, don't like to spend all their time applying patches and making sure nothing bad happens to their computers, in the same way most car owners don't like to keep their primary mode of transportation confined to the driveway, running out to protect them with a cover every time it drizzles and spending all day polishing or changing the oil on days when it doesn't.
There are certainly people who enjoy that kind of activity, but even the most crazed motorhead spends more time driving a less-well-maintained daily driver than polished jewel they can hardly bear to wheel out on the road.
Cars, computers, software, clothing, tools, shoes – all the things we buy and use every day are there for us to use, not to preserve.
Abusing and ruining them is foolish, but we know when we're doing it. We don't need Ford to come by the house every week or so to remind us we're shortening the life of the engine if we don't change the oil every 3,000 miles.
And we don't need it trying to find a reason to keep people from blaming it when Pintos start bursting into flames every time anything larger than a bug rear-ends them.
We expect -- and we know you think this is unfair -- that when we spend a lot for a complex product and trust our lives or working lives to it, we can expect it to work as it is supposed to and protect us within certain limits, to the extent it's supposed to. We don't expect the vendor to throw up its hands and deny all responsibility the first time we exceed the speed limit or fail to come to a complete halt at the Stop sign.
We get your point. Users are sloppy with security, unreliable about patching, ridiculous about the usernames and passwords they choose and do idiotic things like open attachments from strangers and visit insecure web sites. We're also ugly and our mothers dress us funny.
We still rely on the software we buy from you in order to remain employed so we can continue buying PC maintenance products. We expect you to continue doing your part, not go out of your way to provide a body of published data clearly demonstrating it was all our fault anyway and we should just shut up about Microsoft's crappy security.
We know you don't like us; we can tell by the tone of your support documents, help-desk calls and collective air of undeserved superiority. We don't care as long as the software lets us do what we need to do, which sometimes includes something other than maintaining our software.
Now make with the antivirus updates, and the patches. And roll out a few patches to patch the patches I just installed, which made my (fully patched and updated) Outlook crash every time I look at the calendar or a reminder pops up.
Unless you think patches that spend all their time fighting over which one gets to be boss is my fault, too.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.