Malware and the question that never gets asked

Just read this article on the ABC website, about securing your enterprise against malware. They gave great advice – “detect and block at the perimeter and inside the network”, “assess and protect endpoints”, “analyse threats through context”, “eradicate malware and prevent reinfection”, “remediate attacks with retrospective security” and “be sure to implement integrated rules on the perimeter security gateway”. But one important bit of advice was missing.

There are many such articles out there, but I’ve noticed that very few of them ever suggest that people should do a cost-benefit analysis of the measures they suggest. And in particular, that people should seriously ask themselves whether it might be cheaper to dump Windows than defend against the avalanche of attacks aimed at it.

It costs money to change operating systems – whether on the desktop or on a server, there is generally a lot of corporate skill invested. So “dumping Windows” is obviously not something that would be done on a lazy Friday afternoon. On the other hand, given the enormous expense of defending it, perhaps it is time for enterprises to have a long, hard and honest look at why, exactly, they use Windows instead of (say) OSX or Linux.

This is not to say that alternative operating systems need no defending – far from it. But they need far less defending. Both the the likelihood of infection and the likely impact of infection are far lower for the simple reason that most malware is aimed squarely at Windows. By simply not using Windows, you sidestep a vast amount of malware.

So the next time you are evaluating your security posture – think seriously about the cost of using Windows versus the cost of trading it in for OSX or Linux. Or anything else, really!

One of the common reasons given for having to stay with Windows is that the enterprise really, really needs Application X. What will happen if the application stops being supported? If the enterprise outgrows it? If it develops a critical bug? Maybe being locked in to a particular application is a bad thing in itself, a business risk, worth spending money to mitigate. What would it cost to change for any of those reasons? Arbitrarily setting the value of an application to “infinity” is laziness – laziness that could be costing a lot of money. So find out exactly how much the enterprise really, really needs Application X.

The cost of changing applications is one part of the overall cost of changing platforms. Factor it in, and perhaps you will decide it is cheaper to stay with Windows, malware and all. But people should actually do the exercise, not just assume they have no option.

Leave a Reply

Your email address will not be published. Required fields are marked *