Sep 20 2005

New Public Enemy Number One

They've battled computer spam and viruses. Now small businesses face a fierce new threat from spyware.


Photo: Andrew Kist
Robert Mezzone, Network Administrator, and Diane Coffey, Managing Director, Peter J. Solomon

With a hectic workday ahead, Diane Coffey tenses as her computer slows to a crawl.


"You always feel under the gun, so any hitch in the system is extremely frustrating," says Coffey, managing director at Peter J. Solomon, a New York-based investment banking firm. "You wait and wait, and you think this is only an aberration. But seconds turn into minutes, and minutes turn into hours."


A scan of Coffey's computer turns up what has become an even bigger virtual pest than spam: spyware. These stealth programs, which download onto the computers of unsuspecting victims and send information back to their creators, can slow computer performance, crash the system and spawn out-of-control pop-up ads.


"Spyware's a huge problem, and it keeps getting worse," says Nick Ferguson, information systems (IS) manager at Peregrine Pharmaceuticals in Tustin, Calif. "We pay the employees to come in to work, and spyware basically makes the computers unusable. It's counterproductive."



Spyware has grown into a $2 billion industry, according to Webroot Software, a Boulder, Colo.-based antispyware software vendor that conducts a quarterly survey of the problem. In the first quarter of this year, 87 percent of corporate PCs contained some form of spyware-type software, according to the survey. But, say experts, even small companies with limited resources can win the war against spyware with the right arsenal of tools. That arsenal includes software, user education, policies and vigilance.


The obvious first step is prevention. As with viruses, however, it's hard to protect against an enemy that is not only ill-defined but also mutating. "Spyware is constantly changing," says Peter Firstbrook, an information technology security analyst with the research firm Gartner. "This is an arms race."


What's more, once downloaded, the programs are hard to remove, warns spyware researcher Eric L. Howes, who analyzes antispyware tools for


"They just litter the system with all sorts of files and registry data," he says. If not cleansed entirely, the programs can resuscitate themselves. "You can have 100 files, and you can remove 99, but if you miss that one, it comes back."


Building an Arsenal


Until recently, only a few small vendors offered antispyware programs specifically for the desktop PC. In his two-year fight against spyware, Ferguson has had success using combinations of desktop antispyware products. Although they block some spyware programs, these products' real strength is detecting and erasing spyware on the PC. One product might pick up 75 percent of the spyware on a machine, while a competing product will catch the rest. But desktop antispyware products typically depend on the user or IT administrator to prompt them to run a scan. And with 150 machines on his network, cleaning every infected computer individually is becoming cumbersome, says Ferguson.


In the last several months, however, most antivirus vendors have released enterprise-level spyware products that can be administered centrally. In addition, software giants such as Symantec and Microsoft are getting into the act.


In fact, vulnerabilities in Microsoft's Internet Explorer have been a source of spyware's growth. Ferguson found some relief by using Mozilla Foundation's Firefox Web browser, but many sites will load only onto Internet Explorer, so he can't make a complete switch. Spyware also is rare on Apple and Linux operating systems.


Microsoft has taken several steps to correct the problems. Its Windows XP Service Pack 2 fixed many of the flaws, and Microsoft recently released a free beta version of antispyware for Windows.


Creating limited user accounts instead of giving users administrative privileges can go a long way toward fighting spyware, says Howes.


Particularly on a small business network, users want to be able to install software, modify the registry and change settings. However, that may be a freedom the IT manager should limit: If the user is able to download software or modify the registry, spyware can too, he explains.


Firewalls and automatic software updates are other critical security measures, and some businesses may even consider a gateway, which can help filter out unwanted sites. There are dedicated spyware gateway solutions, but they're still fairly crude, says Howes. "No solution is 100 percent. You're always going to need a layered approach."


Educating Your Armed Forces


A strong firewall and security measures on local machines could help Peregrine combat spyware, but because it hosts its own Web site and domain-name server in-house, certain ports must remain open, explains Ferguson. That's where user education and company policies come in. Some employees may be asking for trouble, visiting dubious sites and downloading smiley faces, songs or weather reports. But many spyware victims never knowingly consent to questionable downloads.


Businesses can use Web content filters to keep users away from certain categories of sites, but more important, they should educate end users to download only from reputable vendors, says Firstbrook. They also should read user agreements and contracts carefully, he notes. Some spyware uses misleading language, such as "click no if you want to download this program."


One way to remind employees of the dangers of spyware is to survey them periodically. A federal government agency has developed its own custom program that produces pop-up screens that test employees' knowledge of best practices. They must answer the questions in order for the pop-up to disappear. The results of the survey help the IT manager discover which employees may need more education on how to keep spyware off a PC.


Eternal Vigilance


Some small businesses have been lucky. Spyware blockers on every machine and tightly configured firewalls have done the trick for Inner Traditions, a 45-employee book publisher in Rochester, Vt. "Spyware can't get in here," says systems administrator Scott V. Blomquist.


At Peter J. Solomon, Coffey's problematic spyware experience was quickly brought under control by network administrator Robert Mezzone. Once he scanned her machine, found the spyware programs and cleaned them, her computer was back to normal.


"If people call and complain of a slow computer, nine out of 10 times, it's spyware," says Mezzone, who gets those calls about once a month.


As the only dedicated IT employee, however, he knows he needs to take action before it gets worse. He's been looking for an antispyware tool with a high detection rate that can be managed centrally and has high hopes for the new enterprise-level products.


"We want to be proactive because when people can't work at the pace they need to, they get very frustrated," says Coffey. "In a financial business like ours, you know that you have to get your numbers correct, and every delay is exasperating."


Spyware detection rates vary. Some programs achieve high rates but also come with a high number of false positives. Some count cookies as spyware, while others focus on more malicious programs. As a result, there have been industrywide discussions about devising common standards and definitions of spyware.


"I think part of the problem is that it's such a new phenomenon," says Mezzone.



CEO Takeaway
What is spyware? Spyware is any program that's downloaded onto a computer to collect information about the user without his or her knowledge. Adware is a common form of spyware that collects information about a user's computing habits to create pop-up ads targeted specifically to that user.
Why should CEOs care? Pop-up ads can get annoying, but more malicious forms of spyware can harm a business. Keystroke loggers or hijackers—two types of spyware—can steal passwords and, in turn, sensitive information. Even the less damaging forms of spyware can be costly for a small business because they can render a computer useless or zap network bandwidth.
How can a CEO protect the company from spyware? Several software programs block, detect and clean spyware, and some are free. Firewalls, Web-content filters and other tools can help protect businesses. One of the most important steps is teaching employees to stick to legitimate Web sites and use caution when surfing the Web, checking e-mails or downloading software.