We have reached the point where malware, like the Blue Screen of Death, is viewed as an inevitable annoyance. Both of them are people problems, the difference being that while I have no control over the behavior of Microsoft’s employees, I can have an impact on the behavior of my own company’s employees.

That is why I am proposing four-step program which I believe will reduce malware in our enterprise by about 98%, require no additional technology beyond what we already have in place today, and will be successful within 90 days.

Once I had time to actually read the New Yorker Article about “Million Dollar Murray” that John Quarterman referenced over at Perilocity, I started thinking about how a similar approach could be applied to our corporate malware problem.

The New Yorker article (by Malcolm Gladwell, of “Tipping Point” fame) focuses on how case workers identified the most on-going, expensive homeless people with a bad habit of winding up in the hospital on a regular basis (he nicknames “Million Dollar” Murray based on the researchers estimate that the man had cost the state over a million dollars in hospital expenses).

Here in the enterprise, I have a similar situation. Based on monthly reports I get from our Security Operations Center, about 98% of our malware problems are caused by 2% of the users, the vast majority of them using laptops. This makes sense, given that our perimeter malware controls are, at this point, supreme overkill.

Right now, my company spends absurd amounts of money, resources, and mindshare dealing with malware of various stripes, and very nearly none of it comes in through the firewall. Nearly all of it is on laptops and malware incidents (i.e. worms) almost always impact us at the start of the work day, confirming my theory that the infections occur while the machines are off-premises.

Which brings me to my Modest Proposal. It’s only applicable to large enterprises, but I figure that this stuff has to start somewhere.

Step 1: Clean Up & Education Teaching
The goal here is to filter out those who either know better but make poor decisions or would do the right things if they knew what they were.

Users are identified and counseled about Acceptable Use. Their machines are rebuilt from scratch to ensure a Known Good configuration is in place at that point in time. They are reminded that the machine is company property and should be treated as such.

They must read and sign the company’s Acceptable Use Policy, a copy of which will be filed with HR. Lastly, their manager is informed that their machine has been rebuilt due to malware.

Step 2: Tethering
Anyone who has been through Step One and winds up with more malware on their machine is not capable of working outside our perimeter controls. To ensure they do not, their laptop will be replaced with a desktop machine.

They will be counseled again. Around here, though, not having a laptop is a significant prestige loss. The perception is that only the Unimportant don’t need to be places, laptop in hand.

Step 3: Termination
If a person manages to get malware onto a desktop machine inside our firewall, they are doing something Very Wrong. They are either malicious or terminally stupid, but either way, their presence in the company is probably a net-negative.

Harsh? You betcha. Effective? I’ll bet that most of those 2% of users are just plain clueless and will get with the program once they realize that we’re getting serious about cleaning up the mess. People think that it’s OK to surf dodgy porn with their work-owned laptop, so long as they’re not at work when they do it. They just don’t understand the risks, even if only to themselves.

Are we going to lose some folks with this policy? Probably. But unlike the State of Nevada and Million Dollar Murray, we can.

Update: Changed the name of Step One from “Cleanup and Education” to “Teaching” to give it a nice alliterative sound.