Businesses in Canada and other parts of the world have to deal with deadly combination – increasing spyware attacks and widespread employee ignorance about security practices.
More than 55 per cent of small and midsized businesses (SMBs) and large enterprises report the volume of spyware they are battling has increased over the past 12 months, according to a recent survey by the Computing Technology Industry Association (CompTIA).
About 54 per cent of the 1,070 respondents cited “lack of user awareness” as a major security challenge, said the Chicago-based worldwide group of IT professionals and companies.
One Canadian security specialist said SMBs and individual users are low hanging fruits for attackers.
“SMBs are very appealing targets for attackers, and users are typically the most accessible entry point,” said Marc Fossi, manager of the Canadian security response team at Symantec Corp.
There is a widespread need for periodically refreshed employee education, he said. “Users need to be educated on new threats and trends as they crop up. You can’t just give one class and say that’s it.”
Organizations are expending as much as 20 per cent of their IT budgets on security software and hardware products, but are concentrating training on the wrong people, said Steven Ostrowski, director of corporate communication for CompTIA.
“They’re certainly investing on protection, but most of the education is going to the IT staff. Only 35 per cent of the companies we polled are providing security training to regular staff.”
Ostrowski said this raises a major concern because when a large number of untrained employees have access to an organization’s network they become a huge potential risk.
The CompTIA recently commissioned TNS PLC, a London-based global marketing insight company to survey companies on their security concerns and practices.
The pollsters interviewed IT managers and security administrators of organizations in industries such as retail, marketing, technology, education, finance, healthcare and government.
About 95 per cent of the respondents were based in Canada and the U.S.
Apart from low security awareness among employees, other challenges reported included: virus and worms (49 per cent); authorized user abuse (44.2 per cent); browser-based attacks (41.5 per cent).
CompTIA noted that incidents attributed to browser-based, virus and worm attacks were down from last year’s numbers.
Protecting networks accessed by mobile or telecommuting workers also figured among the top security challenges that companies expect to face in the next three years.
“Spyware was rarely mentioned as a concern a few years ago. It seems to have made a comeback,” said John Venator, president and CEO of CompTIA.
Spyware might be an annoyance for users, but it’s consequences for IT administrators may be more severe – tying their hands as they attempt to deal with multiple attacks.
“Even in a mere 10-person shop, clearing individual PCs of spyware results in serious downtime,” said Ostrowski.
Much of this could be easily alleviated, he said, by regularly providing line workers with basic security training.
“Simple things such as not opening an unknown attachment or keeping a password secret could be discussed in small, inexpensive training modules.”
New workers, for instance, can be given basic security training along with the employee orientation they receive from the human resources department.
“Explanation and rules about IT security will carry more weight coming from the top than from an IT personnel,” Ostrowski said.
And Symantec’s Fossi suggests rather than just sending a broadcast e-mail to employees about a new virus, companies should hold information sessions about the threat.
Trainers must focus on teaching users how to identify and respond to security threats said Robert Beggs, CEO of DigitalDefense Inc. a Toronto-based security firm.
“A lot of the time, users cannot identify a security threat and do not know what to do or who to call when confronted with one,” Beggs said.