Why malware statistics don't matter
I'm distrustful of statistics. I tend to look at much of the statistics that I'm exposed to on a daily basis as data repackaged and re-purposed (weaponized if you like) with a particular agenda (the warhead). This isn't to say that all statistics are bogus, but when you combine differing agendas with an overall lack of understanding of the subject, nonsense usually prevails.
And busting that nonsense is an important job. My colleague Ed Bott did an awesome job yesterday of calming the alarming levels of hyperventilation by certain (less rigorous) elements of the media who were suggesting that some 50% of PCs are affected with malware. Yes, this figure is total and utter nonsense. Ed offers up some better statistics:
The actual number varies, depending on where you are in the world, but for Windows users who have automatic updates turned on, the worldwide average is somewhere between 1% and 2%. In my opinion, if you practice the basics of online security, the likelihood that your Windows PC is infected by malware is a tiny fraction of 1%.
But when invoking statistics, we gotta be careful. That whole "if you practice the basics of online security, the likelihood that your Windows PC is infected by malware is a tiny fraction of 1%" didn't sit well with me at the time I read it. Why? Because it felt like a statistic pulled out of the air and designed to give you a warm fuzzy feeling. After all, everyone thinks they're smart, above average intelligence, above-average in look, and everyone thinks that they aren't being idiots when it comes to security, so we can ALL feel happy and confident that WE'RE NOT in that "tiny fraction of 1%."
Ahhh ... do you feel that nice warm fuzzy feeling yet?
...
Oh dear ...
Statistics are great until they blow up in your face.
I'm going to assume that the folks at Oak Ridge aren't idiots, and that they do practice some level of security. They are, after all, smart people. Oak Ridge National Laboratories is a super-secret facility which is managed by the US Department of Energy and conducts research into nuclear energy, chemical science, and biological systems. But this doesn't protect against a well-targeted, well-crafted attack. And this is increasingly the problem facing organizations - and the bigger they are, the more of a target they are. A home user might be able to draw comfort from the fact that they fall into the 2% or the "tiny fraction of 1%" category because they are doing all the right things and are all up-to-date on the patch front, but the truth is that you can still be hit, and hit hard. A home user can find their machine compromised thanks to a zero-day Flash player vulnerability just as easily as a super-secret organization can be bought to its knees by a well-chosen zero-day.
While a home user might be able to rely on the 2% rule thanks to anonymity and obscurity, but enterprise can't afford to fall into the trap of playing the statistics game. Yes, the warm fuzzy feeling is nice, I know, but you have to assume that you're a target, and that the attack is likely to be unique and creative.
Expect the unexpected!
With that in mind you need to build your infrastructure in such a way that both makes these attacks harder, and minimizes the possibility of data leakage. You also need to be sensitive to odd activity (which Oak Ridge seems to have been) and cut off the hacker's access as soon as possible (which again Oak Ridge seems to have done, keeping the data theft "in the megabytes, not the gigabytes").
I'm not going to get into that whole Windows vs. Mac vs Linux debate because that's also irrelevant in the big scheme of things. Your "Average Joe" user is probably safest running Linux or Mac than Windows (simply playing the statistics), but if the prize is large enough, you're really not safe no matter what you use. You cannot rely on statistics to protect you any more than browser or operating system zealotry.
Take care ... it's dangerous out there!