Corporate Training Magazine

I Spy. . .
Vol 2 Issue 1- Jan 2006

By Mark Robbins

"Spyware is the latest emerging breed of technology threat endangering the security of users and organizations," reported Derick Wong, Microsoft senior product manager, Security/Management.

In a survey conducted by security firm WatchGuard, two-thirds of IT managers named spyware as the number one threat to their networks' security. The poll revealed that 66 percent of managers and administrators thought that spyware would pose a greater threat this year than either viruses or phishing attacks. Sixty-five percent also indicated that of the three threats, their network were least protected from spyware. Most alarmingly, almost three out of four IT managers said that more than half their users don't know what spyware is.

Another study, conducted by America Online and the National Center for Supercomputing Applications, found that 80 percent of computers were infected by some form of spyware, and each infected computer had an average of 90 different spyware packages installed.

Spyware is a threat that isn't going to go away easily, and both the public and private sectors need to take action to combat the growing security risk. In some cases, drastic steps have been taken for the sake of security. The Australian government, for example, has gone as far as to introduce the Spyware Bill 2005, new legislation that would punish with a sentence of up to two years imprisonment anyone convicted of installing cookies or spyware on computers without first receiving permission. Whether such drastic measures are warranted is as yet unclear, but it is clear that business and industry need to understand and address the dangers.

Embed vs. Spread
The danger posed by spyware is fundamentally different from computer viruses. Unlike viruses whose main objective is to spread and infect as many computers as possible, spyware more closely resemebles a parasite, embedding itself in one computer and remaining undetected as it extracts user informaton.

Wong, explained, "Ranging from the mildly annoying to destructive, computer viruses are deliberately designed to interfere with computer operation, record, corrupt or delete data, or spread themselves to other computers and throughout the Internet, often slowing things down and causing other problems in the process. Spyware, on the other hand, is normally designed to seek out information from an unsuspecting user and either use that information or send it elsewhere."

Spyware is also a common cause of on-screen pop-ups and computer slowdowns. Although these are sources of frustration and productivity declines, the real threat lies in unauthorized data access. And while individual users face the loss of personal information and the potential of identity theft, the ramifications for companies are much greater. With our increasing dependence on technology for data storage, everything from client and employee records to product design specifications as well as research and development results are potential targets of corporate espionage. The legal ramifications under the new privacy legislation surrounding the unauthorized release or transfer of personal information also comes into play.

"The theft of private information can be very damaging, especially when that information is highly confidential. This is the primary concern with spyware and is why organization's need to make it a priority to address it."

Despite the threat, many larger organizations have been slow to respond to the threat. According to a survey conducted by Trend MICRO/CNET Networks (posted online by TechRepublic in March 2005), only 54% of large enterprises have an anti-spyware solution deployed as compared to 80% of small enterprises.

Wong cited the following reasons for the slow response:

Their security policy forbids the use of "freeware" on their corporate computers - many of the anti-spyware solutions are currently freeware;
The organization's current security policies, procedures and technology already minimizes the infiltration of spyware type programs
Their security policy only allows employees to access certain Internet sites that are business specific and trusted - no personal or free web browsing. Therefore the organization feels that they have minimized the spyware risk
There are currently very few anti-spyware packages that can be centrally managed and monitored
The organization may have custom applications that conflict with the anti-spyware packages and its scanners.

The good news is that with an ounce of prevention and a little knowledge, you are less likely to fall victim to viruses and you can diminish their impact.

Wong believes that employee education is the key to addressing the spyware problem. "For the most part, spyware gets onto computer systems through downloading malicious software unbeknownst to the user. This can often occur in the workplace where the average employee is not a technology expert. Spyware can also be downloaded from various Internet sites without the user knowing it. This is even more dangerous than downloading software or files from the Internet, as the user has only to browse or be misdirected to this page and the download can happen automatically.

"Educating employees on an ongoing basis is part of the solution to combating this problem. Ensuring that employees understand the harm caused by installing software on their own is one step in the right direction. IT administrators should be the only ones doing this, as this will help prevent the installation of unwanted ‹ and sometimes harmful ‹ software such as music or video file-sharing programs. Many times, employees do not understand that doing so can jeopardize the security of an organization's network.," he added.

"Spyware is just one of the many risks that organizations face today. It is very important for organizations to have a robust corporate security program along with a solid corporate security policy. This security program must include not only technology to protect the organization, but educational courses and policies that its employees must learn and practice. Security is only as good as its weakest link and the failure of just one of the links will result in unnecessary risk for an organization."