Widespread reports of spyware and other malicious code penetrating enterprise networks don't seem to reflect the...
experiences of those surveyed by a New York research firm. Only about a quarter of businesses recognized spyware as a major problem. Ninety percent also saw no security risk in instant messaging, and 80% saw no threat from personal e-mail accounts.
The responses were a bit surprising to Myron Kerstetter, senior vice president of TheInfoPro Inc. He interviewed 111 enterprise IT managers across a variety of industries in February for the study, meant to document attitudes about emerging Internet-based security threats from spyware, peer-to-peer file-sharing software, instant messaging (IM) and personal e-mail accounts. TheInfoPro conducted the survey on behalf of San Jose, Calif.-based firm Secure Computing.
"A higher level of people than expected either didn't recognize the extent of the threats or their management didn't recognize it," Kerstetter said. "Others seemed to think that they have the problems licked."
That's not to say Kerstetter thinks respondents had their heads in the sand. "It could be that some just haven't been hit yet, while others don't see a problem with things like IM because they simply don't allow its use," he said. "They've decided to hold off on using IM because of uncertainties over its security. Since they don't allow it, they don't see it as a security problem for their business."
Most surprising to Kerstetter was the lack of concern over spyware despite widespread warnings about the threat, including an EarthLink study showing that the average PC has 28 spyware programs and a report by Dell that found spyware accounts for 12% of all PC desktop support calls. Of those he surveyed, 70% saw spyware as either no problem or a minor problem.
"There are companies, particularly the larger ones, that may feel they have the proper tools in place against spyware," Kerstetter said. "We did hear from people who are concerned about it, but they were in the minority."
The study also found that 90% of businesses saw file-sharing software -- often blamed for spreading spyware and other infections -- as "not a major problem." The study noted that IM and personal e-mail accounts are often cited by security experts as sources of data loss, information leaks and the backdoor entrance into networks for viruses and worms. It also noted another recent study by the Opinion Research Corp. that found 62% of respondents who use IM at work do so for personal reasons. Yet 90% of those Kerstetter surveyed saw IM as no problem or a minor problem, and 80% felt personal e-mail accounts were no problem or a minor problem.
The study found that most companies are attempting to address security threats primarily with workplace policies, and some also use software tools and procedures. More than 80% of employers have policies addressing spyware and e-mail, and nearly 70% of employers have policies covering instant messaging and file-sharing software.
Gordon Corzine, principal of Corzine IT Consulting of Marblehead, Mass., provides network security for businesses that typically have only three to seven employees. He said his clients' experiences with spyware are quite different from those of the respondents in Kerstetter's study.
"Most of my customers have had one problem or another with spyware," Corzine said. "Some of them try to keep their systems clean and stay on top of things while others have accidentally opened themselves up to infection without realizing it. Once they're infected, it's difficult to remove."
Corzine said it's possible those Kerstetter surveyed don't see as much trouble because enterprises, especially larger ones, tend to have more extensive security software and devices, plus bigger IT staffs. "It could also be that they have other problems they see as more important," he said.