Spam seen as security risk

As unwanted e-mail continues to pour into in-boxes, more corporate customers are viewing it as a security risk, especially when e-mail based worms like MyDoom come onto the scene.

Marguerite Reardon Former senior reporter
Marguerite Reardon started as a CNET News reporter in 2004, covering cellphone services, broadband, citywide Wi-Fi, the Net neutrality debate and the consolidation of the phone companies.
Marguerite Reardon
3 min read
Spam is definitely annoying, but corporate customers also see it as a potential security risk, according to a survey released Wednesday.

The study, commissioned by security software maker Network Associates, surveyed 356 small to large organizations in North America. Questions focused on the effects of unwanted e-mail in the corporate environment.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

About 90 percent of companies surveyed agreed that spam makes their companies more vulnerable to security threats. Because of this growing concern, 97 percent of companies believe that antispam should be a part of their overall corporate security plan.

Although the study was commissioned by a company that sells antispam technology, independent experts agree that the status of spam is changing.

"Spam has always been a security problem," said Eric Hemmendinger, research director for Aberdeen Group. "But it hasn't been recognized as such. Now more people are recognizing it as a security issue, and they're implementing antispam technology."

arrow Unwanted e-mail isn't going away anytime soon.
play audio

Traditionally, spam has been thought of more as an inconvenience, requiring workers to sift through and delete dozens and sometimes hundreds of e-mail messages per day. There has been a debate over how much of this sifting and deleting affects employee productivity. While some companies have found this to be a sufficient reason to invest in antispam products, others have looked for more compelling reasons.

For one, spam takes up storage space on e-mail servers, requiring companies to back up more data and spend more time managing e-mail servers. Storage itself is relatively inexpensive, but the added cost of managing the additional data has caused many companies to invest in antispam products, Hemmendinger said.

Companies also see spam as a security threat in the wake of e-mail based worm attacks such as MyDoom, Bagle.a and Sobig. MyDoom, the most recent of these attacks, spread throughout the Internet via e-mail last month. The worm infected a new computer every time an unwary e-mail user opened the attached file containing the program. As many as 2 million computers may have been infected.

Hemmendinger said that spam-based worm attacks are nothing new, but hackers are increasingly using them as a tool to slip in damaging programs. Once these worms land in e-mail in-boxes, they can wreak havoc on a person's computer or be used as a Trojan horse to damage other machines.

"By recognizing the characteristics of spam, such as volume, antispam products can help solve a big security risk," Hemmendinger said. "It's not the only solution, but it can be used as part of an overall security strategy."

The survey results also indicated that companies want to buy antispam technology from existing security vendors. Network Associates said that 86 percent of the participants surveyed agree that they would prefer to purchase antispam technology from a specific security vendor that also protects their systems from other types of threats, malicious code and vulnerabilities.

Hemmendinger agreed with the findings and said that bundling antispam protection with current antivirus protection will likely provide additional revenue for existing security companies. But he also said there is still opportunity for smaller vendors.

"A lot of organizations will probably look first to existing security providers," he said. "But if they aren't satisfied with that offering they'll look elsewhere. If the problem is serious enough to start looking around, they won't wait six or nine months for their current security provider to get a solution."