A few weeks ago one of our computers at home became infected with Scareware – software which attempts to trick you into believing that it’s a genuine piece of security software that’s discovered viruses on your computer and needs to be purchased to remove these. Of course there are no viruses or other nasties on your computer – apart from the Scareware itself, and if you were foolish enough to provide your credit card details on the linked website, then you would not receive any ’software‘ but it’s highly likely your credit card details might be stolen and cloned.
Being in the IT security industry gave me an advantage as I know about Scareware, but I could imagine how many individuals and businesses could have been fooled into thinking that their computers were genuinely infected. The screens and everything about the Scareware made it look like a genuine applications – they had even used the Windows security branding!
Scareware is only the latest in a bewildering and ever expanding range of security risks and dangers that every business, no matter what size, are facing on a daily basis. There’s hardly a day goes by without a major security breach or incident; and these are only the major incidents at larger, higher-profile organisations. It is safe to assume that IT security breaches and incidents are costing UK businesses billions each year.
Cybercrime is now a fact and has moved far beyond teenage boys hacking into websites from their bedrooms to post images on websites to a global network of highly co-ordinated, financially organised criminals. These gangs of hackers now target companies to steal trade secrets or other commercially sensitive information, to build networks of compromised machines or steal employees’ personal identities.
And these dangers are only too real.
In 2009, Anti-Virus vendor Sophos reported that its annual security survey of companies, 72% believed that employees use of Social Networking sites presented a major security risk, with 70% more companies reporting malware and spam attacks via social networking sites compared to the previous year. The sophisticated Koobface worm is largely to blame for this increase and it continues to become more sophisticated.
In the past, email spam and email-borne malware were considered to be the main attack vectors. Now the Web is the favoured route for the cybercriminals and hackers. However, that does not mean that the security risks of email have diminished far from it.
Spam continues to be a major problem, with anything up to 95% of all emails sent every day being classified as spam. And email attachments, in particulars PDFs, continue to pose a significant threat.
However, more often, email is now used to drive recipients to compromised websites via web links embedded into the email message. It would appear that it’s all too easy for the hackers to be able to modify web pages to deliver malware onto unsuspecting visitors. Recent figures from Sophos suggest that a new infected Web page is found every 2.5 seconds and that 80% of these pages are to be found on reputable sites.
More worryingly, an entire ecosystem has developed around cybercrime – malware toolkits, testing for new viruses against popular anti-virus packages – prompting Cisco to state in a recent report “Do Online Criminals Read Business Week?” With these increased risks, a company now needs to invest more of its precious IT budgets in security.
Investing in IT security can sometimes be seen as a bit like paying the local gang to make sure that your office building isn’t burnt down. Your building doesn’t go up in flames, but that investment has not improved the effectiveness or efficiency of your business, increased sales or lowered your costs.
Should IT security products and services do what they say on the tin? Absolutely, but shouldn’t that investment also deliver real business benefits? More companies are now realising that IT security can do just that.
In the area of web filtering for example, apart from providing protection against inappropriate content and malware, many companies are now using web filtering to ensure that staff do not spend excessive amounts of time on non-work related web sites. Not only is Cyberslacking a productivity drain, it can also increase risk and can impact the performance of IT systems when the network becomes clogged with non-business traffic such as streaming video or music.
Now companies are starting to look at email as another potential source of delivering business benefits from investing in IT security. Analyst group Radicati estimate that 50% of emails processed by business email servers are non-business related. With estimates that the average employee spends around two hours dealing with email each day, this could present a major opportunity for companies to optimise staff productivity.
Email filters that not only block spam and malware, but also use advanced software techniques to accurately identify business and non-business emails will become seen as a mission critical asset to business in the years ahead.