Spyware costs plague SMBs

Never mind the security dangers, spyware is costing SMBs plenty in time and productivity.

Think spyware is a scourge on PCs? Small and midsized businesses are increasingly falling victim to the insidious software, paying the price in lost time and productivity, according to analysts.

Bryan Cave LLP, a law firm based in St. Louis with more than 800 lawyers globally and approximately $450 million in revenue, runs a sophisticated IT operation -- with a sophisticated spyware problem and a lack of options in the SMB space.

Spyware is a huge problem, and it has immediate financial impact.

John Alber
client technology group directorBryan Cave LLP

"Spyware is a huge problem, and it has immediate financial impact," said John Alber, partner, who oversees the firm's client technology group.

Bryan Cave has upped its efforts to stop spyware before it comes in, but this has proved difficult. "One of our problems has been that there are no truly enterprise applications for spyware prevention. There are a number for the personal market, but those are only just becoming enterprise scale. Even the best of them let things slip by, so you have you to go in manually and ferret them out," Alber said.

It takes an average of two hours for his staff to go over a machine manually, Alber said -- not exactly chump change when hourly fees range from $100 for a legal assistant to upward of $600 for partners.

Spyware, loosely defined as any software that surreptitiously monitors user information through the user's Internet connection, has largely been tagged as a consumer problem -- polluting PCs with pop-up ads and the potential for identity theft.

Last month's high-profile lawsuit from New York Attorney General Eliot Spitzer against L.A.-based marketer Intermix Media Inc. is likely the first of an avalanche of attacks against distributors of spyware and the companies that use it.

For more information

Spyware month on SMB

Top 10 spyware threats

As the courts sort out what is -- and isn't -- spyware, the statisticians at least are convinced the problem is endemic among consumers and corporations alike.

"It started as an annoyance and now it's becoming a crisis," said Brian Burke, an analyst and research manager of Internet security at IDC.

Spyware eating up help desk hours

IDC estimates that spyware represents 30% of all help desk calls today.

A new report from Webroot Software found various forms of spyware in 87% of the machines it scanned in the first quarter of 2005.

A spyware-infested computer can become very sluggish, making users wait for even routine tasks, like e-mail or spreadsheets. For a firm, such as Bryan Cave, with employees who charge by the hour, the pain is palpable, but even the smallest of businesses are being squeezed.

Just ask Jim King, founder of Air Quality Management LLC in Acton, Mass.

King diagnoses and solves air quality problems at commercial and residential properties, running the business from a single computer. He uses Microsoft XP, deploys a sturdy firewall and until recently felt confident he and his antispyware programs, Spybot and Adaware, were up to the task of keeping out the toxic software. Then he found himself fighting off 15 minutes worth of pop-up advertisements every time he turned on his computer.

"The programs infiltrated my system through the Internet and became embedded as part of the startup menu," King said. "I realized I needed very minute of my day to be running this business. I do not want to become an adware expert."


He ended up spending several hundred dollars to hire Ekaru LLC, an IT services provider in nearby Westford, Mass., to walk him through the cleanup.

"We have seen a huge increase in spyware over the past year," said Ann Westerheim, Ekaru's founder and an MIT-trained engineer. "The problem is so insidious, that it takes multiple approaches using different removal tools and taking multiple passes."

In fact, there is a running debate among Westerheim's staff about whether to keep pursuing the spyware or simply rebuild the infected computer.

Many SMBs are taking the second route, according to Jim Slaby, senior research analyst at Boston-based Yankee Group.

"SMBs will spend three or four hours installing various antispyware devices and then throw up their hands. The only way they can think of to root out the spyware is to re-image the machines," Slaby said.

Spyware dollars scarce

IDC's Burke said his clients are sounding the same complaint.

"What we're hearing is that spyware is becoming much more sophisticated and the solutions these companies had purchased -- first generation antispyware solutions -- are becoming less and less effective. What they're winding up doing is physically re-imaging users' machines," he said.

Is it expensive to re-image a computer? You bet, Burke said.

Time is lost, because the machine was not as productive as it should have been. There's the employee loss of productivity while the machine is re-imaged. There's the loss of the IT person's time, and on top of that, the data that may have been lost or corrupted because the spyware problem.

Money is the issue, in combating spyware, said Bruce Barnes, principal of Bold Vision LLC, a consulting firm of former CIOs in Dublin, Ohio, that provides peer-to-peer counseling and advice.

"Everybody I've talked to, from CIOs at the multibillion level down to the $5 million range, says 'Yeah, we're concerned about the magnitude of the problem. We know it's real, but we're out of cash,''' Barnes said.

CIOs have focused on the Sarbanes-Oxley Act and other legislative requirements. Considered a nuisance, spyware has gotten short shrift, but that attitude is short-sighted.

"It's a huge business problem. It's huge from the standpoint of its reach and it's huge in terms of what it's going to cost to fix it, because it's so easy to be infected," Barnes said.

One of the prime ways computers are infected is through employees surfing the Web. "I don't care what your rules are, it's pretty hard to legislate against that," Barnes said. Making the case to protect against this latest threat is also a challenge for CIOs, he said, likening it to the arguments for disaster recovery a decade ago.

"How do you go to the CEO of your company and say, 'I need six or seven digits worth of money to defend against something that hasn't happened yet?' You say, 'Trust me,' and he's going [to say], 'Wait a minute, I'm fighting for customers, I'm struggling with marketing and manufacturing and keeping the network alive, and you want money for something that hasn't bothered us yet?'"

Just wait.

Read more on IT strategy