Utah Business Magazine
2004 Book of Lists
Wasatch Digital iQ Magazine
Log In
Cover Story
Around Utah
Legal Briefs
Executive Living
Small Business Advisor
Business Trends
Industry Outlook
Special Section

Back Issues
Editorial Calendar
About Us
Contact Us
Administrative Area
Features April 2005

From Spam to Spyware
Securing Yourself from Cyber Threats
by Lucy Burningham

For most Americans, keeping up with the latest cyber security threats has become a daunting task. Why not read thirty magazine subscriptions every month or run a marathon without shoes? But before you throw up your hands and vow to just reboot every time your PC starts acting strange, take note. Now is the time to get in the habit of learning about cyber security as it develops, because things are only going to get worse.

The bleak prediction doesn’t come from doomsday prophets or conspiracy theorists, but from cyber security experts who have watched hackers and greedy data miners become increasingly proficient during the past decade. Even the most non-technologically minded business owners are beginning to understand the importance of ramping up security with whatever method best fits the budget.

Cyber threats have leveled the playing field among everyone who accesses the Internet—whether you’re working inside or outside an organization, you’re a potential target. Those who create cyber threats see each computer as a portal to information that could result in profit, or simply as a platform for mayhem. In more threatening situations, a program or hacker may be aiming to access a company’s most coveted data.

According to Pete Ashdown, president of Internet service provider (ISP) XMission, businesses are most threatened and bogged down by the most obvious of nuisances—Spam. For the most part, Spam may simply slow productivity or an email server, but that lost time can result in lost revenue for any company. Ashdown recommends finding a good ISP that offers Spam filtering, which most ISPs now do “dynamically,” to keep track of the latest Spam tactics. Randy Cosby, vice president of InfoWest, another Utah-based ISP, says that half of all the email his clients receive is Spam that gets filtered before it even reaches their inboxes.

Ashdown explains that next to Spam, businesses should be worried about spyware, network intrusions and internal data leaks. While external threats are predictable menaces, internal leaks may seem unlikely. But, Ashdown says, “The biggest hole in your office security is your own people. It’s important that you can trust them.”

And though you should trust your employees to surf the Web safely, don’t assume that they will. Educating everyone in the company about potential cyber threats should be one important part of a larger security plan. Employees who understand the nature of viruses, Trojan horses, worms, spyware and adware are quickly becoming a tremendous asset in their ability to avoid dangerous downloads. While the differences between these threats can be vague and confusing, even to security experts and lawmakers, it’s worth taking the time to figure out, and pass along, the basics.

Start with the hottest topic in cyber security—spyware. “Spyware is an easy-to-write, stand-alone program that comes onto a system without the user’s knowledge,” explains Kelly Martin, senior project manager at Symantec. Generally, spyware programs collect data about a user, which could mean Internet surfing behavior or specific keystrokes, then send that data to a third party. “The difference between spyware and a regular virus is that these programs are monetarily motivated,” Martin says. “They collect information that could be used for monetary gain.”

Spyware uses tactics to make it highly successful once it finds its way onto a computer. “Spyware is insidious, because it often works to conceal itself once it’s on a computer,” Martin explains. “And once you have a spyware on your system, it tends to open up doors by communicating with other spyware programs, telling them to come on in.”

You know you have spyware if you start seeing lots of pop-up ads, a new tool bar on your browser that you didn’t put there, a home page you didn’t set, random error messages, or an overly sluggish computer.

Most users who have a spyware infection (experts estimate that 90 to 95 percent of home computers do) never saw it coming. The user usually downloads spyware unknowingly, frequently through a End User License Agreement (EULA). The fine print in a EULA sometimes describes spyware-type programs, and by clicking “yes,” users legally allows these programs to begin monitoring their behavior. You can also get spyware by clicking on links in email messages or by clicking on pop-up ads or banners online.

“If it’s too good to believe, just don’t,” Randy Cosby says. “If you see a banner that says you’re going to win something, skip it.” He advises to avoid clicking on any pop-up, even ones that look like a Microsoft Windows warning box, or clicking “no” in any case, which are usually tricks to get the user to inadvertently download a dangerous program.

From the business perspective, surfing smartly may not be enough to prevent serious damage. Just ask Overstock.com or 1-800 CONTACTS, the two Utah companies that prompted House Bill 323, Utah’s anti-spyware legislation, in 2004. Jay McGury, director of legislative affairs at 1-800 CONTACTS, says the company became a target of adware programs that were selling customers’ information in “nefarious ways.” “It’s a very sleazy business,” McGury says. “They’re selling the good name of companies for a price.”

McGury says that ninety percent of what the industry calls spyware is actually adware, a similar type of program that tracks Web browsing habits. Like spyware, adware transmits information to a third party, but instead of going to spyware’s underground, shadowy network of individuals, the data goes to legitimate sources, usually established, licensed companies. (“We can find people who create adware,” McGury says.) Those who purchase the data collected by adware track users’ surfing behavior in order to eventually feed them targeted online advertising. Web surfers can download adware unknowingly simply by visiting certain Websites, but the programs are often packaged with legitimate software or distributed through EULAs. Adware is lumped in with its ugly sibling spyware because of privacy issues and should always be considered a breech in security if it shows up on any computer.

Individuals should combat spyware, adware and related threats (key stroke loggers, joke programs, worms, parasites, scumware, Trojan horses, dialers, malware and browser hijackers, to name a few) by installing a good anti-virus program. Many are available online for free, but again, use caution even when choosing which sites to visit for a download. A good system runs in real time, so security developments are constantly being combated through updates. “For every virus that is found, a team at Symantec writes a signature for that virus, which through a live update becomes the antidote to that individual virus,” Martin.

Home computer users and small businesses may feel more vulnerable than large businesses, which can afford to hire an IT staff. But individuals and small businesses can be just as safe. “The goal is to protect your network from the outside world but leave enough access so employees can use the Internet,” says Cosby. Consider getting a firewall, a good Internet service provider with Spam filters, outside consultants who could perform regular security maintenance, and a policy limiting what employees can download and view online.

While the scope of today’s cyber threats and solutions may seem overwhelming, putting a little time into understanding them will transform computer security from the unwieldy to the manageable. But don’t do it just once. As Martin observes, “As long as people are motivated in a monetary way, these threats will continue to evolve.”