The number of companies reporting spyware infestation has increased by just under 50 percent over the past 12 months, according to a survey released by Internet security specialists Websense.
According to the annual Websense Web@Work survey, published on Tuesday, 17 percent of companies with more than 100 employees have spyware — such as a keylogger — on their network.
"This is almost 50 percent growth in the instances of keyloggers that organisations are reporting back," Joel Camissar, country manager for Websense said. "Despite the organisations having a best of breed antivirus, anti spyware and firewall, we are still detecting a huge amount of backchannel spyware communication".
One reason for this growth in spyware infestation is a massive increase in the number of spyware-making toolkits being sold online, said Camissar, who referred to some research that was conducted in partnership with the Anti-Phishing Working Group, earlier this year.
"In April 2005 there were 77 unique password stealing applications. In the latest March report there were 197. Unique Web sites hosing keyloggers in the same timeframe have gone up from 260 to 2157 — almost a 10 times growth," said Camissar.
The survey also discovered that survey respondents did not have much faith in their staff being able to distinguish between genuine and phishing Web sites.
"Forty-seven percent of IT decision makers said their employees have clicked on phishing emails and 44 percent believe employees cannot accurately identify phishing sites.
"I am surprised that the results are not showing a larger growth in the number of organisations hit by this kind of threat," added Camissar.
Talkback
With the amount of danger now escalating to companies from this sort of treat it will come as no surprise that businesses will be forced to remove general internet access from emplyees to protect themselves. It is inevitable unless ISP's and governments(that's ajoke) get together to stop the internet turning onto a no go zone
Problem is that the entire security landscape is still seriously underestimated. Most decision makers still think that they're almost there, safe enough or label it a next year problem. Most of them basing their conclusions on commercially sponsored opinion, sales talk and what their peers are doing. Which underlines a serious lack in liability in places that matter.
Another thing is that the bad guys are constantly and rapidly evolving. Customized penetration and information gathering is nothing new under the sun and the average "off the shelf" security solution won't catch it. Certainly not in the way most of those are implemented, configured, maintained and monitored (outsourced and all). Couple that with the masses of organizations that never fail to bring in the latest and greatest gadgets that seriously weaken overall security (smartphones, PDA's, smart watches, WiFi, VPN, USB devices, iR, BlueTooth. Not to mention social engineering, bribed co-workers, smart PABX systems, consolidated centralization, waste bins, etc, etc) without giving too much thought on keeping on top of things, if any (most IT departments are overflooded with following support questions and incidents anyway, or worse: go the 'not my problem' route), and get their act together.
In other words, as long as the right people don't take responsibility or are not made responsible enough we're condemned to do what we've done the last ten years or so: carrying water to the sea while thinking we're not there yet but almost anyway.
Nothing short of a few worldwide disasters in a row will wake us from that dream state. And we've had a few in the mean time. Just not enough serious enough ones in a short enough amount of time. How quickly people forget.
Oh right, we've got politicians and commercial lobbiests bringing us new laws and technologies as the one and only answer to all the problems they in fact shoved down our throats. And for some reason or another we're not to believe that's mostly to protect self interest at the cost of various consumer and citizens rights, budgets and choices. DRM to the rescue? Who's rescue anyway? Updated IP laws for protection? Who's protection anyway? More power to the powerfull? Who's power anyway?
Back to the practical part. Either way, by following the commercially preferred way in solving the latest security issues and then the next and then the next and so on, or doing a root cause analysis and opt for more lasting solutions on the basis of a solid foundation, most organizations are facing yet again huge investments (time, budget, resources) to get things modernised because not doing anything will increase their risk of becoming a victim (including falling too far behind) as time goes by. Nothing new under the sun. Next year we'll know if they've learned anything or are setting themselves up to repeat the same mistakes in creative new ways.
The keyboard hardware manufacuturers need to get together with the OS programmers and set up a hardware public/private key encryption. Set by the keyboard, all text sent to the computer would need to be decoded to be processed.
Bump, no problem, ever again.