With a slew of high profile botnet takedowns in the past year or so, some have argued that we’d see a reduction in the amount of spam being slung around. Some have even published stories about how the number of spam e-mails being transferred have vastly declined, and have used historical numbers as a comparison to show that we are actually becoming spam-free. But the true metric – the only one that actually counts – is the effect that spam has on businesses.
Businesses don’t care if there are only ten billion spam e-mails today versus twenty billion a day this time last year. In fact, all it takes to do damage is one errant, malware-laden spam e-mail to ruin an IT department’s month and put at risk the valuable information resources that companies work so hard to protect.
If GFI Labs’ latest report has anything to say about it (hint: it does), then spam represents a real and present danger to companies in the US and UK. More than just remaining a threat to data security, however – that is, thinking it’s just a status quo thing that will continue to be a thorn in our sides, nothing more and nothing less – companies are reporting some staggering and sobering numbers that may have you scrambling for your information security policy. And you might be well-advised to have a sit-down with the staff to discuss what spam’s been doing for you – or to you – recently.
The report, published by GFI Labs and reported upon by several media outlets, has some pretty unnerving notes and overtones. GFI undertook the survey of businesses in the US and UK, and the results are fairly consistent between companies in both countries, with a few exceptions which we’ll get to in a moment. The key headlines:
- When asked “does your business receive too much spam?” 72% responded Yes
- When asked if the volume of spam has changed over the past year, 32% responded that it stayed the same and 52% responded that it increased
- When asked what type of anti-spam solution they used, companies responded anti-spam component in their antivirus software (48%), dedicated anti-spam software (20%), cloud-based solution (14%), gateway anti-spam (11%), and none (5%)
- When asked if they had been breached due to malware-laden spam, 44% responded Yes, 5% responded No, and 6.5% responded Don’t Know
- When asked “what best characterizes the effectiveness of your anti-spam solution,” 60% responded Marginally Effective and 10% responded Not Effective
- When asked if they regularly educate employees about the risks of opening e-mail spam, 90% responded Yes
While there was only a marginal difference between US and UK companies, of note were the tactics companies on either side of the pond use to combat spam. In the US, 14% of companies reported that they rely on cloud-based anti-spam solutions, while only 8% of UK companies could say the same. It turns out that the UK prefers anti-spam gateway appliances (22%, compared to 11% in the US).
Most shocking, of course, and difficult to shake is the number of companies that reported having been breached by malware related to e-mail spam, a full half if you include the ‘don’t know’ responses. It doesn’t take a senior research scientist to glean that there’s still a massive gap between understanding spam and the dangers it represents, and the effectiveness of the rest of us to combat the problem.
Yes, spam is declining, but the numbers are deceptive. This week, Kaspersky Labs reported that the volume of spam is indeed in decline, something we’ve been reporting for months after the takedown of high-profile botnets like Kelihos and Rustock. Of note, however, is that malware attachments and malicious links are on the rise. While spam e-mail has seen a reduction to about 80%, the number of malicious e-mails made up about 3.8% of that traffic.
Quoted in SC Magazine, Phil Bousfield, general manager of GFI Software’s Infrastructure Business Unit, spoke about GFI’s study results and their significance. “This research shows that the spam problem is not going away and, in fact, the delivery of malicious links and files makes it more dangerous than ever before.”
The most frustrating piece to this whole puzzle has to be GFI Labs’ study results pertaining to employee education and vigilance. Educating employees is such an important facet of how IT professionals protect their networks. Clearly, the study shows that companies are doing just that, so what’s the problem? Feel free to weigh in.