No matter where you are or how big you are, if your organization hasn't been affected by spyware yet, it's only a matter of time.
That's the message from Boulder, Colo.-based Webroot Software Inc. According to the antispyware vendor's quarterly "State of Spyware" report released this week, the spread of secret nefarious and malicious programs has quickly become a "global pandemic."
Webroot CEO C. David Moll said spyware is no longer confined to a handful countries or a single continent. In fact, it's everywhere.
Moll said his customers have reported spyware problems in 223 countries. What's more, unlike spam, which he said took nearly two years to plague users around the world, spyware has become the scourge of Internet users everywhere in just a matter of months.
As further illustration, Webroot's report finds the trio of countries with the highest spyware infection rates represent three different corners of the globe. This is based on an survey of 63 companies representing 351,149 PCs and laptops connected to the Internet, according to study details.
The U.S. was found to have the highest national spyware infection rate, with an average of 24.4 spyware programs per scanned PCs.
Ranking second was the U.K. with an average infection rate of 18.7 programs, with Thailand rounding out the top three with 18.1 programs.
What do those nations have in common? Moll said each has a vast broadband network, and a sizable portion of its population using it.
"A broadband user does more things like file sharing and spends more time online, and tends to be a more sophisticated user," Moll said, adding that it's those uses who are more likely to experiment with peer-to-peer programs, surf to new Web sites and download shareware, all of which drive spyware proliferation.
The more things change…
Webroot's survey was compiled using data from customers of its Web-based antispyware application, and from a poll of corporate IT professionals in charge of security compliance.
Of those who responded to the poll, more than two-thirds categorized spyware as a serious threat to their organizations, and 97% said they worry that spyware may access employee data, pilfer intellectual property or access company or customer information.
The vendor issued a similar report last quarter, and Moll said overall spyware awareness has increased from quarter to quarter, but tragically that hasn't equated to progress in combating its proliferation.
"So many states are taking action, and Federal bills are in consideration, so when you take all of that together, you might expect to see some [progress]," Moll said. "Frankly, we don't."
The 80% infection rate is roughly the same as when Webroot began its quarterly research effort, Moll said, and the most serious kinds of spyware programs -- Trojans and keystroke loggers -- continue to grow.
Key to the highway
Another significant finding of Webroot's report is that keystroke loggers -- programs that monitor and often transmit data on how a keyboard is used -- are posing a bigger threat than ever before.
Moll said keystroke loggers are becoming increasingly sophisticated. They are emerging as the biggest threats to consumer privacy and data security on the Internet, and may soon surpass phishing as the most widely exploited method of electronic identity theft.
"Phishing has served as the traditional model for getting somebody to a Web site to steal their information," Moll said. "It's been failing more often as people become more educated about it, but to get a piece of software on a user's machine gives the same opportunity [to steal] usernames, account numbers, etc."
It poses an even greater threat in the corporate environment, Moll added, because the stakes are much higher when comparing an individual's finances to those of billion-dollar enterprises.
"What happens when a keystroke logger is sitting on a payroll PC, or account payable, or on a trading desk?" Moll asked. "When huge amounts of money are being transferred, it represents a grave threat to corporations, as well as in regard to corporate espionage and intellectual property theft."
Fortunately, Moll said, corporate spyware awareness continues to rise, and that may be the difference in preventing a major spyware-related security breach or data theft.
He also said the work of the Anti-Spyware Coalition, a coalition of more than two dozen technology vendors and interest groups, is helping to more clearly define spyware and aid antispyware vendors in searching for and removing it.
However, there is still work to be done. Moll said the industry must realize that antispyware software is now just as essential as antivirus software. Those that don't understand that, he said, are putting themselves at risk.
"Don't hope that you're going to browse to a new Web site and be OK," Moll said. "It only takes one mistyped URL to bring spyware down in spades."