Many security professionals find themselves saddled with the job of ridding their companies of spam. Regardless of whether spam is a security issue, tackling the problem is a good way for security pros to wow management.
"There are very few things [security professionals can do] that get such visible results," said Jim Reavis, president of Reavis Consulting Group. Making it so that users get only a few junk e-mail messages each day rather than 200 is something you "can pat yourself on the back for," he said.
A spam-smashing security pro can then perhaps leverage that success to get money and management support for security issues that are more traditional, Reavis said. Taking care of spam has a tangible result that security pros can point to when asked what they have done for the company lately.
Professionals lament that security often goes unappreciated by management. Since the nature of security is to keep things from happening, if nothing happens then it's a good thing. Less-enlightened executives may not recognize what an accomplishment that is.
Some question whether spam is an issue security pros should be addressing in the first place. Spam is not really a security issue in the way that it is a system-capacity and network-bandwidth issue. Spam also affects end users. Having to delete a couple of hundred messages a day erodes productivity. It can also mean lost productivity if legitimate messages are accidentally tossed out with the dross.
There are also some possible liability issues associated with spam. Some experts think pornographic spam, for example, could be grounds for sexual harassment claims against employers.
In many companies, addressing the spam issue falls to security professionals. In many ways, security professionals are on the same path as the antivirus software vendors, many of whom have gotten into the antispam business. While spam doesn't pose a security risk like a virus or worm, stopping it requires similar technology that examines each incoming message.
Some antivirus software vendors would admit, perhaps just privately, that they really don't consider spam a security issue but that they offer antispam products because their customers demand them. The thinking goes that if antivirus software is scanning messages for malicious code anyway, then looking for spam is a logical addition.
There is another side to the spam issue. Companies that send out legitimate e-mails don't want to be pegged as spammers. Such is a fear of Noelle Sinclair, information security officer with ING Direct Canada. "We have security software in place, and we do consider it a security issue. We're an online bank, so how do we do business and not be called a spammer?" she said.
Worse yet, companies face the risk of having their e-mail addresses spoofed and used by more nefarious persons, such as people engaged in online scams. Sinclair lets her company's customers know what to expect in terms of e-mails, so they'll be suspicious of illegitimate e-mail that purports to be from the bank. "We're trying to educate our clients and provide safeguards to mitigate risk," she said.