Does the panel have any advice on how to reduce the amount of unsolicited e-mail and spam entering corporate systems. Also, is spam just a pain or does it pose a real security threat to my business?
Danger lies in the naivety of the end-user
Yag Kanani, Partner in charge of security services, Deloitte & Touche
Spam is currently the biggest consumer of unnecessary bandwidth on the internet. There is a risk that users receiving huge numbers of unsolicited e-mail a day may become even more complacent than they are at the moment. Social engineers thrive on end-user complacency and a number of worm outbreaks, such as I Love You and Anna Kournikova, have been successful because recipients were tricked into launching a program, which devastated their systems and those of others.
Spam or any other unsolicited message could be used to convince an end-user to reveal sensitive information about themselves or internal computer systems, a message posing as an online survey could ask recipients for their password. The survey could also ask for other information which may allow an attacker targeting a specific organisation to gain valuable intelligence prior to launching another type of attack.
The worst thing a user can do when they received spam is reply asking for their name to be removed from the list. Unfortunately spammers do not adhere to or respect the Data Protection Act and to them a reply proves that an address is in use making it even more valuable. Spam should be discarded, preferably not opened.
Train employees to ignore spam e-mail
Roger Marshall, Elite
From being a minor annoyance just months ago, spam is fast becoming one of the top issues for corporate IT. The costs are largely hidden but are real nonetheless. They consist mainly of the time employees spend pressing the delete button as they go through the entries in their in-boxes. Some will spend time actually reading the stuff. If staff could be dissuaded from opening these e-mails, the spam industry would die a natural death, eventually.
The only effective solution on the horizon is international action to outlaw the practice entirely. The problem with that is the time it takes to get countries to act. What we can do is point out to our government the actual cost of spam to our businesses, to raise it on its agenda.
Finally, the Sobig virus is now being spread by spammers, so the answer must be yes. At least with viruses, unlike spam, the protection is effective if properly applied. One thing that you need in both cases, and for effective IT security generally, is good end-user education and firm corporate policies.
Spam wastes valuable business resources
Robin Laidlaw, President, CW500 Club
This it is becoming more of a problem and only in the last year or so have tools become available to try to tackle the issues.
From a business point of view the issues are:
- Wasted user productivity with rubbish clogging up mail boxes
- Wasted server space having to store and manage them until deleted.
From a security point of view the issues are the increased potential threat of virus infections and Trojans, if a user opens up an malicious e-mail or clicks on a link within the e-mail. These days however, malicious e-mails are more likely to come from known contacts so would not be blocked by spam filters anyway, especially worms that propagate by copying and e-mailing an infected PC's address book.
Get end-users to think before they click
Ollie Ross, Corporate IT Forum Tif
All e-mail receipt and internet access undertaken without appropriate anti-virus and firewall protection exposes your systems to potential intrusion.
Spam is a popular means of virus propagation and is a serious security threat. Tif members have seen spam levels double over the past year, and predict that "virus spam" will increase at the same rate, so ensure you have desktop and perimeter protection in place, and that your mail servers are configured to reduce your exposure to unauthorised access and usage.
There is a wealth of sound advice and effective coping technologies available. But one answer does not fit all, so enlist the professional help of an expert. Whether you build and manage in-house, or outsource your systems will depend on the extent of your problem, your definition of and vulnerability towards spam and the resources you have at your disposal.
Organisations using unconventional e-mail address formats and functions as opposed to individuals' names on corporate websites appear to be less afflicted than others.
Tif member discussions have concluded that your key tools are education and user buy-in. A company policy on messaging is imperative and must be communicated, understood, signed up to, current and enforced to be effective. A long list of rules is easily forgotten; your aim is to make users "think before they click". Generate a real awareness of responsibility and consequence.
Likewise, any spam reduction process you deploy will require user involvement and active participation, especially if you intend to base your solution on heuristics or white list creation. Ensure your helpdesk has a "top tips" or "what to do" list and keep everyone informed of what you are doing.
It is easy to forget the issue of "internal" spam, but don't ignore the unnecessary traffic generated by interdepartmental communications. Discourage the use of "cc" and e-mail broadcasts in favour of a regular summary of links into the company intranet.
Don't undertake any solution provision in isolation. Key spam control decisions involve blocking, quarantining, retention, notification and deletion. And while the process may belong to IT, the decision-making must rest with the business.
The next big threat >>
This was first published in September 2003