How to Protect Your Business from Spyware and Adware
There's an old IT diagnosis: "Problem between the chair and the keyboard." It is more applicable today than ever, especially when it comes to spyware and adware.
No matter how much you scan and spam filter, no matter how many warnings you send out, someone, somewhere, will click the wrong e-mail link and potentially cause problems on your network.
Spyware and adware, and, to a certain degree, phishing e-mails, are constantly plaguing businesses, in some cases causing massive outages and productivity loss. Companies must be vigilant of spyware, the name for programs smuggled in under the guise of legitimate programs and secretly installed on your computer or your network, and adware, software that displays ads on your PC even when you're not surfing the Internet.
Both spyware and adware can impact data and/or system functionality, occasionally resulting in lost data and completely corrupted systems. Spyware and adware can render a computer sluggish, making even the most routine task, such as sending e-mail or calling up a document, slow. An estimated 30 percent of all help desk calls in companies today are the result of spyware, according to an IDC estimate.
The number of small and medium-sized companies investing in security technologies to fight spyware and adware is growing. Spyware now ranks with viruses, worms and spam as among the top SMB IT concerns, according to a 2005 study from Forrester Research. Forrester surveyed nearly 800 U.S. SMB technology decision makers and found that 71 percent planned to invest in additional security technologies by the end of 2005. The Radicati Group, a market research firm based in Palo Alto, Calif., forecasts that anti-spyware spending alone will grow from $103 million in 2005 to more than $1 billion by 2009.
The Anti-Spyware Coalition, a group made up of anti-spyware software companies, academics and consumer groups, has published a group of tips for businesses on how to block spyware and adware. The tips include the following:
* Training is the first defense -- Teach your employees not to click on links or files in e-mails... ever. Get them to sign an "acceptable use policy" stipulate that they won't access unauthorized programs. Some programmers suggest creating a secure FTP site and use that to trade important files back and forth with customers or use a service like xDrive.com to share documents. Focus on keeping e-mail attachment-free.
*Lock down desktops -- Desktop anti-spyware applications can find and remove spyware trying to execute on PCs. But maintain software updates, operating system and browser patches and manage desktop security from a central location. If you can, install an open operating system like Xandros or migrate to OS X. It's not something a lot of IT folks want to hear -- or have to learn -- but if the office assistant and the boss are both on Macs, they're going to experience less downtime because of spyware and still be able to handle almost any file type.
* Block spyware at the network -- Your company can configure gateway proxies and firewalls to prevent spyware from reaching PCs on the network by excluding download from known spyware sites and high-risk sites. They can also scan files at the gateway for known spyware code. Also, analyst logs of PC communications for high-frequency destinations.
*Create filtering rules, but be generous -- filter attachments, yet tag e-mails with bright and bold HTML messages informing the users how to get them out of your custom attachment lockbox. Also, consider unzipping archived attachments and scanning them immediately. Most spyware can be stopped at the source.
* Install a program like SpoofStick -- A free program for IE or Firefox, SpoofStick informs you if a website is "pretending" to be another, more legitimate website. In many cases, scams will take you to pages that purport to be a legitimate bank or other business, but are, in fact, fake information-farming pages designed to steal personal information. SpoofStick will blink if a page's URL doesn't match its title.