"We know exactly what to do," said Roger Cass, chief technology officer (CTO) at the Cincinnati-based medical services company. "We take the computer and clean it up, and we're always astounded by how much people can install, even with downloading restrictions in place."
While many of the worst excesses are on consumer's computers, the problem is widespread in business as well. In fact, an AOL study in late 2005 showed that more than 80% of PCs contain spyware.
And the small and medium-sized business (SMB) market is particularly vulnerable. According to "Small Business Information Security Readiness," a survey of more than 1,000 small businesses put out by the Small Business Technology Institute in San Jose, Calif., although 70% of those surveyed called information security a priority, more than half had experienced a security incident in the past 12 months.
While that includes threats other than spyware, the latter is a common cause of angst, said Laura DiDio, an analyst at The Yankee Group, a research firm in Boston. "Many think of spyware as being an annoying fact of life, but it can cause performance problems at the very least, and serious security compromises at the worst," she said. "This is more of an issue for the SMB, which has less tolerance for risk and cost than enterprise counterparts."
And spyware is growing beyond nuisance and into threat, said Dave Methvin, CTO at PCPitstop.com, an Internet security website. "It used to be that people were mildly sneaky, doing things like fooling somebody into clicking on an ad. But now, there are people who are by any measure involved in criminal activity," he said. "The really bad spyware is intended to steal information off of the computer."
Truly malicious spyware can do things like send information from accounting software like QuickBooks, or track online banking activity. "Once they get things like that, they can drain your accounts and get the money out of the country so there's no way to trace it," Methvin said.
That leaves SMBs vulnerable. Many don't even have spam-filtering software, which is the first line of defense for spyware at corporate sites, Methvin said. He estimated that most spyware at businesses comes in through spam.
"They just don't have the stuff that corporate guys do -- firewalls or things that make email nice and clean," he said. For example, Cass said MediSync doesn't have antispyware software, although he does harangue users frequently about safe computer usage, and he does have built-in guards within Windows that don't allow users to install their own applications. "I'm worried, but it's a playing-the-odds kind of thing," he said. "I have to pick my battles, and we need to spend IT resources on other things."
Methvin said that at an absolute minimum, SMBs should have antispyware software and some soft of email filtering technology that's more than antispamware. Many SMBs will start with individual licenses from companies like McAfee Inc. and Symantec Corp., but that can get pricey fast as the company grows. And enterprise versions of security software are also expensive. "I tend to see SMBs using individual tools," Methvin said.
He added that while there are several very good free products out there, always a help for a cash-strapped SMB, most require a fair amount of in-house expertise. And while Microsoft plans to offer Windows Defender in its next version of Windows, that won't be shipped until early next year. The good news is that companies are finally starting to come out with SMB versions of antispyware. (See SearchSMB.com's "Spyware-fighting offerings aplenty".)
The bottom line, however, is that you have to start with something. "Whether an enterprise or an SMB, you really have to be proactive about your defense," DiDio said, "and there's no lack of tools and utilities out there. The trick is what works for your resources."
Carol Hildebrand is a contributing writer based in Wellesley, Mass. Let us know what you think about this tip; email firstname.lastname@example.org.
This was first published in May 2006