Another Fight To Wage

Companies buried by spam focus their attention--and resources--on the battle against spyware and adware
The battle against spam and its spawn, spyware and adware, is escalating for Lynda Fleury, assistant VP and chief information security officer at UnumProvident Corp. A year ago, the $10 billion-a-year insurance provider received 2.6 million spam E-mails. By November, the number had nearly doubled to 4.8 million. As if trying to keep missives offering cheap Viagra or get-rich-quick schemes out of in-boxes weren't enough of a job, a steadily increasing onslaught of spyware and adware is further taxing IT resources. "People get so choked up with spyware, and then they place a call to the help desk," Fleury says.

EFunds' Jones is working to combat all types of attacks, whether they're brought about by spyware or other means.

EFunds' Jones is working to combat all types of attacks, whether they're brought about by spyware or other means.

Photo by Peter Taylor/Getty Images
UnumProvident is one of a growing number of companies beginning to investigate anti-spyware products. By and large, companies allocate more IT dollars to fighting the twin scourges of spyware and adware, while continuing to pump time and money into keeping spam of every variety under control. Just over 70% of 400 business-technology professionals recently surveyed by InformationWeek Research will spend somewhat or significantly more money to manage spyware, and more than 60% say the same of adware. They can only hope that it won't be as uphill a battle as spam has been--based on data the study collected, spam E-mail accounted for half of inbound messages in 2004, up from 40% the year prior.

It's been rough going so far, with nearly 80% of respondents saying their organizations have been infiltrated in the last 12 months by spyware, which tracks Web surfers' every move, or adware, which displays pop-up ads guided by users' surfing habits and keyword searches. Both types of small applications can be installed on PCs by specially crafted E-mail messages, "free" software downloads, and other tricks. These intrusions haven't caused 90% of the surveyed companies significant damages in terms of financial losses due to systems being tampered with, data being stolen, or other security breaches ... yet. But they steal time from IT staffers, who must handle more help-desk calls from users who can't get rid of pop-up ads and clean up systems suffering from performance slowdowns that stealth adware or spyware installations bring on.

Preventive Measures Chart

Kim Jones, director of global security services for electronic financial processing company eFunds Corp., knows the problems adware can cause. "Someone will say their machine is slowing down, and we'll find 450 cookies from all of the sites they've visited," he says.

There's potential for greater damage, particularly with spyware. Criminals and hackers use spyware such as keystroke loggers and Trojan horses to capture everything typed on PCs or to take control of systems to steal user names and passwords that could be used to attack and gain access to business resources.

Last summer, Jones started using MainNerve Inc.'s Adaptive Darknet Service, a network of sensors scattered about the Internet spotting hacker command-and-control networks, which is constantly updated with attacking IP addresses. Jones installed a MainNerve security appliance at each main Internet connection; if one of eFunds' systems gets infected with a Trojan, the service will spot the Trojan app's attempt to communicate with the attacker. EFunds also defends against security hazards with network intrusion-detection systems, Spam Sentinel for Lotus Notes, and Symantec antivirus software.

One problem is that most tools to fight spyware and adware aren't mature. Textile provider Unifi Inc. has seen an increase in the number of systems bogged down with spyware, says IT director Mark Sidden, and no single vendor has a comprehensive answer to the problem. "We use about a half-dozen point solutions to keep systems clean," he says.

Spending Expectations Chart

The need for anti-spyware applications has caught the attention of big software vendors. McAfee this week adds spyware blocking capability to its McAfee IntruShield network intrusion prevention app, and it's delivering a beta version of its Anti-Spyware Enterprise Edition Module that will work with its corporate anti-virus product. This month Microsoft released a beta of its anti-spyware app, and last month Computer Associates released a corporate anti-spyware product, E-Trust PestPatrol Anti-Spyware r5. Webroot Software's Spy Sweeper Enterprise provides security for mobile users and manageability for larger businesses.

Technology already has made a dent in spam problems. The number of spam messages companies receive keeps rising but so does the percentage of unsolicited messages blocked from in-boxes. In 2003, companies reported that spam filtering stopped more than half of unsolicited messages. At the end of 2004, 68% of spam was being caught. UnumProvident's Fleury has seen results: The company uses spam filtering from SurfControl plc, and despite the uptick in spam being sent to users, employees aren't seeing many of those messages in their in-boxes.

Franklin Warlick, messaging systems administrator at cable-TV company Cox Communications Inc., started tackling the spam problem about 18 months ago. Cox now uses two CipherTrust Inc. secure E-mail appliances, and Warlick estimates they block 99% of the 38 million spam E-mails that head Cox's way each month. That's critical, Warlick says. Spam is "now a security threat," because more spam E-mails today contain adware or spyware that users unwittingly install (see story, "Raising Awareness Key To Thwarting Spyware").

But fighting spam of every stripe, from garden-variety sales pitches to potentially malicious spyware, is costly. Nucleus Research puts the typical cost per employee to fight spam in 2004 at $1,934--more than double the amount in 2003. Productivity lost also climbed from 1.4% in 2003 to 3.1% in 2004, according to Nucleus.

Effectively combatting spam, spyware, and adware, Unifi's Sidden says, "takes educating end users, as well as using technology." Given the threat to many businesses, class is now in session.

Continue to the sidebars:
A Look At The Law: Can The Government Have An Impact On Spyware?, and Raising Awareness Key To Thwarting Spyware

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Terry White, Associate Chief Analyst, Omdia
John Abel, Technical Director, Google Cloud
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer