Spam seen as security risk

Spam is definitely annoying, but corporate customers also see it as a potential security risk, according to a survey released Wednesday.

The study, commissioned by security software maker Network Associates, surveyed 356 small to large organizations in North America. Questions focused on the effects of unwanted e-mail in the corporate environment.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

About 90 percent of companies surveyed agreed that spam makes their companies more vulnerable to security threats. Because of this growing concern, 97 percent of companies believe that antispam should be a part of their overall corporate security plan.

Although the study was commissioned by a company that sells antispam technology, independent experts agree that the status of spam is changing.

"Spam has always been a security problem," said Eric Hemmendinger, research director for Aberdeen Group. "But it hasn't been recognized as such. Now more people are recognizing it as a security issue, and they're implementing antispam technology."

 Unwanted e-mail isn't going away anytime soon.

Traditionally, spam has been thought of more as an inconvenience, requiring workers to sift through and delete dozens and sometimes hundreds of e-mail messages per day. There has been a debate over how much of this sifting and deleting affects employee productivity. While some companies have found this to be a sufficient reason to invest in antispam products, others have looked for more compelling reasons.

For one, spam takes up storage space on e-mail servers, requiring companies to back up more data and spend more time managing e-mail servers. Storage itself is relatively inexpensive, but the added cost of managing the additional data has caused many companies to invest in antispam products, Hemmendinger said.

Companies also see spam as a security threat in the wake of e-mail based worm attacks such as MyDoom, Bagle.a and Sobig. MyDoom, the most recent of these attacks, spread throughout the Internet via e-mail last month. The worm infected a new computer every time an unwary e-mail user opened the attached file containing the program. As many as 2 million computers may have been infected.

Hemmendinger said that spam-based worm attacks are nothing new, but hackers are increasingly using them as a tool to slip in damaging programs. Once these worms land in e-mail in-boxes, they can wreak havoc on a person's computer or be used as a Trojan horse to damage other machines.

"By recognizing the characteristics of spam, such as volume, antispam products can help solve a big security risk," Hemmendinger said. "It's not the only solution, but it can be used as part of an overall security strategy."

The survey results also indicated that companies want to buy antispam technology from existing security vendors. Network Associates said that 86 percent of the participants surveyed agree that they would prefer to purchase antispam technology from a specific security vendor that also protects their systems from other types of threats, malicious code and vulnerabilities.

Hemmendinger agreed with the findings and said that bundling antispam protection with current antivirus protection will likely provide additional revenue for existing security companies. But he also said there is still opportunity for smaller vendors.

"A lot of organizations will probably look first to existing security providers," he said. "But if they aren't satisfied with that offering they'll look elsewhere. If the problem is serious enough to start looking around, they won't wait six or nine months for their current security provider to get a solution."