The truth about spam

It's very easy these days to think that spam has been filtered out of existence and is no longer a problem for your business. Davey Winder argues it's more of a problem than ever.

COMMENT: Spam filtering has, without any shadow of a doubt, improved beyond recognition compared to just a few years ago.

Server-side systems have evolved to the point where relatively little spam gets through the defences, and are intelligent enough to ensure few false positives leading to genuine correspondence being flushed away with it.

So why am I insisting that spam is still a problem for your business?

In the words of Aleksandr Orlov, the TV advertising meerkat rather than a Russian security researcher, simples. While the little spam that does breach enterprise defences can perhaps be thought of as a minimal nuisance as far as employee productivity is concerned, that's far from the big picture.

When Opinion Matters – on behalf of GFI Software – recently conducted an independent and blind survey of more than 200 UK businesses, the results were perhaps rather shocking. The volume of spam, as far as decision makers within the SMBs polled were concerned, is not going down, it's going up.

Some 61 per cent said spam volumes had risen during the last 12 months and a further 21 per cent had seen no reduction in spam traffic rates.

And that's not all. Some 40 per cent of them admitted their business had suffered a data breach as a direct result of spam.

Wait a minute, spam-based data breaches? Surely not? Actually, when you think about it, the real response should be 'nothing new there.' After all, the favourite method of getting access to your data is to get someone within the enterprise to follow a malicious link or open a malicious file in order to execute a Trojan payload of some kind. And amongst many other methods, distribution of those links and attachments via spam is a hugely popular delivery route.

The thing is that, as I see it, the malicious spam threat has never gone away. Instead it has been downplayed by a tunnel vision in enterprise security strategy, which relies upon those evolved anti-spam filters to deal with it at the expense of taking a more layered approach to the problem. The survey found that 46 per cent of the businesses questioned relied solely upon the anti-spam component of their favoured anti-virus solution to deal with it.

What I find surprising about nearly half of those asked relying upon this one-chance-only spam filtering solution is that 62 per cent also admitted their anti-spam strategy was only marginally effective, with 8 per cent stating it wasn't effective at all. Amazing, especially when you consider the top concern shown by these same companies about spam was it may harbour malicious content that could compromise their networks.

Finally, some 14 per cent of those asked didn't have any education programme in place to ensure employees were aware of the spam threat, could recognise the dangers and be able to deal with them appropriately.

Until this situation changes, until those responsible for the security of the network take off the rose-tinted spectacles and admit both server/cloud and client-side approaches are needed to trap the most spam possible, the spam problem will not be going anywhere.

So, what can you do about? Well the obvious bullet points to concentrate on have to be user education and a bit of a rethink on the filtering technology front. The latter is vital if you are to actually have a more effective method of ensuring your business stays as spam-free as possible.

Simply having blind faith in your existing anti-spam solution is of little real world use if spam is still actually getting through in enough volume to cause the kind of problems outlined in this report. Actually, I'd say that a single malicious spam is one too many, but I appreciate we do not live in an ideal world.

Throwing money at the perceived non-problem of spam is not going to be an easy sell, I grant you, but the bean counters have to factor in the risk of malicious linkage and file attachments getting through when determining the true value of a little investment to the business.

User education is vital to ensure that when those rogue junk mails do slip through they are not actioned in a way that will compromise the security of your data. The danger is that those same bean counters will see education as the cheaper option and follow that course at the expense (every pun intended) of a technology review. This, in my never humble opinion, would be a big mistake: the one is diluted too much without the other.