Spyware as Enterprise Achilles Heel

As IT departments battle trojans, viruses and worms, one particularly nasty critter is still finding myriad ways to slither onto enterprise PCs. Spyware, usually considered an annoyance of home users, has been showing up more often in the corporate world, and it is bad news for business users.

"For the most part, organizations are blind to it," Forrester analyst Michael Rasmussen told the E-Commerce Times. "They focus on viruses and don't think about the danger that spyware represents. Because of this, I think it'll get worse before it gets better."

What can companies do to defend themselves against this largely unseen scourge?

Spy vs. You

In a nutshell, spyware is defined as any technology that helps gather information about a person or organization without their knowledge. It can infiltrate a computer through a virus or, more often, as the result of a user's decision to install a new program or download a file from the Internet.

Some spyware programs are relatively benign, used only to monitor people's Web surfing habits and send that information back to marketing companies. These particular programs are usually termed adware, and marketers are keen to distance them from their more malicious kin. Other types of spyware programs may be deliberately installed, often by bosses who want to make sure their employees are not wasting time.

The most dangerous form of spyware is the kind that invades a computer system, tracks users' keystrokes and then delivers that data back to someone who wants to do harm. If keystrokes are recorded, for example, a spyware author could gain access to corporate passwords, credit card numbers, e-mails and other sensitive documents.

Rasmussen noted that this type of spyware is far more prevalent than enterprises may think. "The threats are very significant," he said. "It's a huge problem."

Spy Network

Although spyware has been around for years, some analysts believe the problem is worsening.

Yankee Group senior analyst Eric Ogren told the E-Commerce Times that the spyware threat is growing because of the mobility of today's workforce.

"Enterprises are extending their networks out, so you see laptops being hooked up to hotel networks and workers using their home PCs," he said.

If security is lax for laptop machines and home networks, spyware can gain a foothold and begin recording data. As Ogren noted, "Companies aren't doing as much as they should to stop this problem from spreading."

Danger Ahead

Spyware, in its most pernicious form, constitutes more than an invasion of privacy. It puts a company at risk and could result in harsh penalties down the road for the victimized enterprise.

"Imagine that spyware gets onto the computer of a field agent of an insurance company," Rasmussen said. "The program sends sensitive data back to its source. Now you've made all that data vulnerable, and you could have a class-action lawsuit on your hands."

He added that companies that are regulated, such as banks and insurance firms, should be paying special attention to preventing spyware.

Michael Wood, vice president of sales at Lavasoft, which makes the widely popular Ad-Aware spyware removal program, told the E-Commerce Times that a particularly prevalent kind of spyware is called a "dialer." This program changes a user's dialing preferences, causing the user to run up dial-up phone bills of hundreds or even thousands of dollars.

Because dialers are not illegal, employees on the road who must dial in for Internet access could be vulnerable to this kind of intrusion.

Preventive Measures

Although companies are not doing as much as they could to stem the spyware tide, there are strategies for keeping damages low and banishing such programs from enterprise computers.

For starters, Lavasoft's Ad-Aware scans for spyware and smokes it out of its hiding places. Wood said his company now is focusing more on enterprise customers and will continue to refine its product for that market. In the meantime, he suggested, some user education might not be out of place.

At the very least, informing users of the dangers of spyware makes them aware of the problem. Smaller companies can even encourage users to perform spyware checks themselves by visiting a site like PestPatrol.com, which offers free spyware scanning of individual computers.

"IT managers should make sure to tell users, again and again, not to open attachments unless they know they're safe," Wood said. "Also, in a company, the IT department should be given the power to eliminate the ability of users to install software on their machines."

Bundling Benefits

Rasmussen noted that security heavyweights Symantec (Nasdaq: SYMC) and Network Associates have been enhancing their product suites with anti-spyware components, which should cut down on the amount of software IT departments have to buy. Also, because complex security applications often have centralized control, an IT manager would not have to run from machine to machine when checking the status of the software.

"You don't want to have to install anti-spyware programs along with doing patches and firewalls," he said. "You want to pick one program that does everything fairly well. It's too costly the other way."