Q&A: IT in Denial over Spyware

While many small and medium-size companies fear spyware, they don’t think spyware infections can happen to them. Despite highlighting viruses, worms, and spyware as top network security concerns, many don’t actively combat even one of these problems.

Is your IT organization serious about stopping spyware? Apparently not. A large percent of IT managers don’t think their company even has a spyware problem.

Spyware poses a risk to corporate information and productivity, and it’s pervasive. According to research firm IDC, 67 percent of all PCs have one or more spyware infections. That can lead to purloined data, decreased PC performance, increased crashes and pop-up advertisements, plus overworked IT help desks.

According to a recent report from Forrester Research, while IT managers at small and medium-size companies rank their top security concerns as viruses, worms, and spyware, 43 percent of them still haven’t deployed PC-based anti-spyware software.

To discuss this apparent head-in-the-sand attitude to spyware, we talked with Kevin Haley, the group product manager for Symantec Antivirus Corporate Edition and Symantec Client Security.

How does spyware affect organizations?

In a number of ways. First, there’s an increase in help-desk calls from users who may be unaware they have something on their system … or are unaware of what’s going on. Second, there’s the network traffic adware can generate as it pulls advertisements down. … Third, there’s the productivity angle: people whose machines are slowed down … and while it’s hard to measure effects, it’s their productivity [that's in question] … and there are some very practical costs involved with that.

Do organizations understand how much spyware might be costing them?

We think these costs are often hidden for customers. I [regularly] talk to IT folks that either tell me that they don’t have a problem with spyware and adware or they’re unaware of what it is. …

Just how prevalent is spyware on enterprise desktops?

We don’t [generate] those kinds of numbers, but IDC says about 67 percent of all computers have some form of spyware or adware on them, and META Group [reports] about 20 percent of help-desk efforts and calls are around spyware and adware detection and cleanup.

So those studies render the cost of not tackling spyware.

Yes, and they should be a shot across the bow. The focus with spyware and adware has been on what’s the risk involved, and how dangerous it is to have on a computer. Yet … people haven’t thought about [the] other effects it has in the organization.

One effect we’ve anecdotally seen is you have people whose system performance has come to a crawl, and the tendency is to say, 'I need a new computer.' Whereas it may well be that … it’s not because your processor has gotten old, but you’ve got a lot of programs sucking down CPU cycles that you didn’t put there or might not want there.

Yet these effects aren’t acknowledged?

Many folks I talk to have not thought about it in those terms or made an attempt to measure it, to understand the significance of the problem in their organization. …

And there are a number of people who [are] aware of the spyware problem, yet [think] it’s [just] a consumer or home-user problem. People can tell you about a friend or relative’s house they went over to and removed spyware … but they don’t often feel it’s an issue in their own environment, that it could happen in their corporation.

When anti-spyware tools are employed in the enterprise, does that solve the spyware problem outright?

Absolutely. It’s important to have those tools and get them installed in your environment. There are a lot of third-party tools out there. We introduced our anti-spyware technology as part of our antivirus product. We manage and deal with spyware the same way we do as viruses and worms. … The same scanner we use for antivirus is also the same as for spyware. We don’t have two scanning engines or management consoles. … So for our customers, there’s not a need to go out and buy another product.

How widely used is the anti-spyware component of the latest version of your corporate antivirus software?

The larger the company, the longer the cycle of rolling something out, because of the expense involved … [and] we can’t really measure it. Still, over the course of [2005], we [saw] a lot of movement initially from our smaller customers and … then from the larger customers in the second half of the year.

Obviously, spyware is a moving target. How has it been evolving?

What we’re seeing is the adware/spyware guys are beginning to adopt many of the techniques of the virus writers. If you think about it, when new spyware comes out, there are lots of systems now that have defenses against spyware. So as spyware/adware matures, you now see encryption, packaging, watchdog processes. We’re actually seeing attempts at polymorphic adware, where if it sees an anti-spyware product deleting a process, it will write that process back out with a randomly generated name.

The other interesting thing is that you have some [adware companies] attempting to become … [more legitimate]. To date, it’s kind of been a gray area with adware, in the sense that adware doesn’t necessarily do something malicious on your system; it’s not deleting your files. Some adware is not taking any information off of your machine. Some, the information it takes off your machine is data to serve up an ad, so it’s not exactly private information, it’s browsing habits. You can debate whether that’s privacy related or not … [but either way] it can slow down your machine.

The other trend we’re seeing is, we think malware will [increasingly target] audio and media players. … If I can play an ad before you run an MP3 or show an ad before you play a video … I can make more money.

Have you seen any such media-player attacks yet?

We wouldn’t call them attacks, but there is some stuff that’s going on out there. … [Last year] there was a vulnerability in the Windows Media Player, a buffer-overflow vulnerability, and there’s software that will have vulnerabilities that someone will figure out how to exploit. But while we’ve listed some vulnerabilities for media players … it hasn’t happened yet. Though our guys are watching the chat rooms to see what people are trying to figure out how to do, and exploiting [media player vulnerabilities] is clearly one of them.

Related Articles:

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.