Cyber threats to grow in number and complexity, warns Sophos

Firms must prepare for an increase in security threats from targeted e-mail attachment s in 2009, says security firm

Firms must prepare for an increase in security threats from targeted e-mail attachments in 2009, says security firm Sophos.

Attachment-based threats were in decline, but suddenly increased from a low of one in over 3,000 at the start of 2008 to one in 200 by September, according to Sophos's latest threat report.

This trend will continue, but hackers will begin to use legitimate-looking business data files, said Graham Cluley, senior technology consultant at Sophos.

Hackers will pass on malware by exploiting vulnerabilities in documents that are not normally blocked by security filters, such as MS Word and Adobe Acrobat files, he said.

According to Cluley, attacks are becoming highly targeted, with hackers gathering corporate information to create infected documents that look legitimate.

"Businesses need to educate staff to be wary of unsolicited attachments, to protect against these attacks that could bypass filtering systems," he said.

Data leakage is another trend that is likely to increase in 2009, said Cluley, with an increasing number of people storing sensitive data on removable media.

"Research has shown that around 30% of USB memory sticks contain sensitive information," he said.

The most important step in stopping data leakage is to use encryption so that if all other security measures fail, data still cannot be read, the threat report said.

"All companies need to properly restrict their access to data and begin to use encryption. Not enough are [doing this] with their sensitive data," said Cluley.

"Customers will not want to do business with any organisation they feel is unable to look after their data," he added.

Securing company websites will remain a priority in 2009, with malicious code planted on legitimate sites the main way criminals use to infect computers.

Sophos detects over 19,500 new infected web pages every day, or one every four-and-a-half seconds, the report said. High profile victims in 2008 have included Sony Playstation,, Adobe and The World Bank.

"Businesses need to realise their websites are pieces of software that can have vulnerabilities that can be used to pass infections on to site visitors," said Cluley.

The threat report also highlights that malware is no longer confined to the Microsoft Windows operating system.In 2008 there was an increase in attacks aimed at vulnerabilities in other operating systems such as Apple's Mac OS X and software for mobile devices.

This trend is likely to continue in 2009, the report said, with the increasing popularity of portable devices such as the iPhone, Google Android phone and ultra-mobile netbooks.

The threat report concludes that the number, complexity and variety of attacks will continue to escalate, demanding defence at all levels of the business.

Read more on Hackers and cybercrime prevention