Skype; is it cost effective from a security standpoint?
*Document Updated for clarity 3/23/07.
I’m still fighting the Skype battle where I work. Although it hasn’t gotten to this point yet, eventually we will request a compelling business case be provided. That business case will likely boil down to the amount of money we could save by using Skype. To date, all of the requests we’ve had for Skype have come from the angle ‘it’ll save money on long distance’. Lets evaluate it based on that metric; cost.
The Risk Defined
The risk of Skype is an unchecked vector into the enterprise network; It’s a P2P network overlapping the physical network and all traffic is encrypted using a closed algorithm (meaning third parties are unable to even validate the strength of the encryption). Encryption means any malicious traffic on that network makes it all the way to the desktop before it is decrypted and becomes actionable. By that time the only realistic defenses are patch management, antivirus, and HIPS software if it’s deployed.
The Analysis
Is the money saved in calls equal to or greater than the cost of recovering from a partial network outage? In our case, absolutely not. How do I know? I’ve done some calculations that compare estimated cost savings in phone usage of Skype versus the cost in lost salaries of a loss in network availability. To derive these numbers I simply estimate that Skype usage is 10% of all phone calls and the loss in network productivity is also 10%.
To derive these numbers, take a monthly phone bill from one of your offices and divide it by 30 to find the amount per day you spend on phone charges. Divide that amount by the number of people in that office. That gives you the cost per user per day.
You then estimate that 10% of your users will use Skype 100% of the time and stop using the regular phone altogether (for the sake of simplicity and easy math). Multiply that 10% by the per-user cost to get a rough estimate of what Skype can save you on phone bills if it’s used 10% of the time.
Doing the estimation in this manner allows us to derive numbers that simulate 10% of all phone usage being Skype and not normal telephone usage. Granted, no single user is going to turn in their phone since they have Skype installed.
Also, the number of users is the common denominator between our telephone cost and production loss calculations. Therefore it’s key to the equation but not meant to be taken literally as “OMG, 40 workstations just went belly-up!!!”
Office headcount: 400
($10,000/30 days)/(400 users) = $.83/user/day
($.83/user/day)*(40 users) = $33.20 savings per month day if 40 users use Skype only
Now find out what that same office pays every month in salary. Divide that number by the number of employees in that office and divide the resultant by 30 to get an average of how much your company pays each employee each day in salary. Multiply that by %10 of your total users to see what it will cost your company in lost salary alone if 10% of the network goes down for a day.
This calculation simulates a 10% loss of network productivity. That could be caused by 2 of the Skype-hosts getting owned by a Skype-bourne worm and scanning so aggressively that a full 10% of all network traffic is the scan itself. Again, deriving the numbers this way is as close to an apples-to-apples comparison as I can get while keeping everything simple and clean.
Office Headcount: 400
($1,800,000/30 days)/(400 users) = $150/user/day
($150/user/day)*40 = $6,000/user/day lost in salary alone
Based on those numbers (which are very realistic for my environment) it would take 181 days (6 months) of Skype usage to save enough money to pay for a 10% drop in network performance for a single day.
That certainly makes my decision much easier!
1 This figure includes trunk costs, local and long distance costs and yearly fees broken down to a monthly figure. I tried to include all costs that are involved with using a telephone. I didn’t include things like conference call fees, since we’d continue to incur those costs.
2 This figure excludes partner salaries, which would unfairly skew analysis. Also, when a partner experiences network downtime such as their machine completely dying, IT moves mountains to get a machine back in their hands. Therefore a partner rarely experiences an entire day’s outage.
Wouldn’t that be 18 months of Skype use to cover 10% reduction? 18*33.2 = $6000*10%
What are the chances of a network-impacting Skype attack? And then one that affects more than just that stupid user? What about bandwidth costs (unless you’re already using VoIP)? Will this impact firewall logging/monitoring with the crazy connections it likes to open and if so what is that amount? And then balance all of that against the estimated value of improve morale?
Just some thoughts…obviously risk and cost can be made as complicated as you want, but I like this little exercise you posted up above.
I wonder how this would work with VoIP as a replacement to the regular phone system.
By LonerVamp on 03.19.07 9:33 am
I was just talking to my boss about this and he informed me that above and beyond the security implications of Skype, we charge our clients for all long distance calls, for a profit. Therefore Skype would reduce our profits.
That makes the score;
Enterprise: 2, Skype: 0.
By Michael on 03.19.07 11:44 am
I cleaned up my examples some to help clarify them.
I mislabeled part of the first example as months when it should have been days.
Sorry about that.
By Michael on 03.19.07 11:46 am
Aha!
By LonerVamp on 03.19.07 12:18 pm
You incorrectly presume:
* The 100% loss of Skype is 100% loss of productivity.
* the use of Skype vs. other phone is either/or.
Although I am not a proponent of Skype in business until they implement more robust and simpler administrative controls, your calculations, although mathematically correct, do not paint a true picture.
Unless the staff is all telephone work, such as call center or similar, the complete loss of Skype will not completely cripple productivity.
Additionally, the deployment of emergency or replacement telephones when only 10% uses Skype implies simplicity. If 90% “still” uses old style phones, how hard is to “add” or turn back on for the 10% which is out of commission?
I have seen Skype used as office-to-office more often then 100% use. Users would default back to old telephone when the QoS dropped, without loss of productivity.
By Libertate on 03.21.07 12:33 pm
My assumption wasn’t 100% loss of Skype itself, but 100% loss of the host running Skype.
The statement that 10% of the users use Skype 100% of the time is merely to estimate 10% Skype usage of all calls. This is for simulation purposes only and is how I derive my numbers.
Clarity or lack thereof, notwithstanding, my calculations were intended to simulate Skype usage at 10% of all long distance calls and the downtime caused by a Skype-bourne worm or equivalent was a 10% productivity loss.
Calculating risk analysis such as this isn’t an exact science by any stretch of the imagination!
By Michael on 03.23.07 11:02 am
[...] I was looking through my Technorati stats and found that a blog from McAfee commented on and linked to my article on a cost analysis of Skype. [...]
[...] part because it offered little benefit to the company. He arrived at this conclusion by calculating the potential cost savings from the software, which ultimately turned out to be rather insignificant. But Mike Rothman pointed out a problem [...]