Contrary to popular belief, spam is not the electronic equivalent of junk mail. Paper-based junk mail cannot hide software code capable of corrupting business data, defacing websites, stealing broadband traffic, clogging email applications, or irreparably damaging the computers of business or its customers.
Junk mail might, at its worst, inflate refuse bills. Spam, on the other hand, can cost business its business.
In its more benign form, spam slows down business productivity and irritates, distracts and bores those who must trawl through it. In more serious guise, it arrives in system-stupefying volume, bringing inbound and outbound data traffic to grinding halt. Spam also carries software threats including code that opens “backdoors” for hackers to operate networked computers as “zombies”, steal broadband access, or burgle online and network identities.
Bessie Nicholls, project coordinator for small business support agency Enterprising Manukau, has witnessed client almost wiped out by spam-borne malicious code. “In the time it took them to get things back online and unscrambled they had lost three orders over three or four days – worth somewhere around $1.5 million on the international market.” And this kind of problem is hitting small to medium enterprises (SMEs) on regular basis.
Security advocates spoken to for this cover story believe New Zealand managers are failing to grasp the growing sophistication of internet threats and the multiplicity of ways spammers and hackers are accessing business networks.
For example, last December InsightExpress surveyed 500 New Zealand SMEs and found spam already undermining the efficiencies of internet communication, transactions and commerce. Among other results, 64 percent of the surveyed businesses reported an increase in spam over the preceding six months, and 33 percent reported “a dramatic increase”. Yet when Symantec New Zealand and the Employers and Manufacturers Association (EMA) surveyed 207 SMEs four months later in April this year, they found just 17 percent of firms had anti-virus software installed and only 31 percent were using spam filtering software. Consequently, 63 percent of the businesses surveyed had suffered negative business impact from malicious online attack. And these weren’t micro enterprises. healthy 70 percent of them reported turnovers in excess of $1 million. The average number of employees was 41. Extrapolate the figures over New Zealand’s population of roughly 200,000 businesses and the scale of the problem comes into sharp relief.
Homegrown spam
But it’s not just small companies that are struggling with spam-related business problems. Telecommunications provider TelstraClear says spam accounted for 62 percent of the email it received in December 2003, while the ISP Ihug stopped 6.5 million spam emails in November alone.
Neil McCallum, product manager messaging for New Zealand’s largest ISP, Xtra, says the company was forced to solve delays in its email service earlier this year following sudden spike in spam volume that contained electronic worms. The delivery of Xtra emails was delayed, in worst-case examples, by staggering four to five days.
“If we get spike in email volume we still have to process all the emails. While user expectations of email service speeds are rising, people don’t appreciate that spam is increasingly problematic and slows things down,” he says.
McCallum estimates that more than 50 percent of all email passing through Xtra gateways is now spam. And it’s not all harmless nuisance. “I plot the worms we find and where they once used to expire now they don’t; you see them stacking up, one on top of the other.”
Most of the spam seen by Telecom contains product pushing or adult content, or is ‘phishing’ – fraudulent email designed to trick individuals into revealing passwords and network identification codes. New Zealand’s online banking customers have been regular phishing targets over the past 12 months.
According to Michael Long, security services architect for Telecom Advanced Solutions, spammers constantly change their techniques to outsmart security software and, just like graffiti artists, will war over who can raise the highest spam community profile.
“Spamming is shotgun approach; you send five million messages and the one that gets [opened and answered] is considered success. The people who generate spam make money and tracing who and where they are can be difficult,” says Long.
And New Zealand’s hacker community is growing too. According to Richard Batchelar, New Zealand country manager for security software vendor Symantec Corporation, “there are number of hackers in New Zealand; we can’t identify them but we know they have moved here.”
In the know
So why aren’t New Zealand managers more proactive about securing their computer systems and developing internal security policies to combat spam?
The problem, according to security vendors, is primarily one of awareness. The managers of our larger enterprises consider IT security an “IT problem”. On the other hand, the managers of small businesses lack the time, and often the skills, to investigate the risk.
Awareness is also hindered by shortage of concrete examples.
Businesses badly burned by spam and security breaches have one thing in common with organisations careful to avoid trouble. Like sex, they don’t like to talk about it in public.
But talking, especially within an organisation, is important according to Gerardus Verspeek, IT administrator for law firm Cairns Slane. He told Symantec New Zealand roundtable in June how he used an email filtering product to make staff realise the extent of internet security threat facing business.
“I made public to the whole firm how many tried intrusions we’d stopped at the firewall point. In February, I think we stopped 18,000, and all the solicitors and secretaries freaked out; they didn’t realise it was happening. It’s about letting people know how [security technologies] work and what they do.”
Close to home
The costliest computer crimes – denial of (internet access) services and the theft of intellectual property – are becoming more prevalent in New Zealand and so more companies are enquiring about how to control spam. “Even on low averages, about 30 percent of email in New Zealand is spam,” says Batchelar.
It is, of course, significantly higher than that. In May, anti-spam software developer BrightMail (now owned by Symantec Corporation) suggested that the percentage of spam in New Zealand emails had levelled out to around 64 percent, up on the 48 percent recorded in May 2003 and 22 percent in May 2002. Brightmail thinks cooperative international efforts to stop spam may be contributing to this apparent plateau.
Spam and phishing originating from the Asia Pacific region is, however, on the rise according to Brightmail.
Of 100 billion spam messages filtered by the company in May, 15 percent originated from that region compared with only 6.5 percent in the previous six months. The rate of Asia Pacific sourced phishing emails rose 33 percent in just three months.
How much hype?
But despite the plethora of research and hard data suggesting spam and internet-borne attacks eat into business productivity, reputations and profits; anecdotal evidence suggests many managers believe the threat is hyped to help security vendors sell more products and services. Memories of how the IT and consulting industries manipulated Y2K linger.
So, are the threats real this time? And what happens if too-stringent email security interferes with the delivery of legitimate emails? Could internal security policies become so arduous that no one complies? Can business simply be too electronically secure?
There is, for some companies, fine line between blocking spam and internet threats and security measures that become more irritating than spam itself. “Most business customers prefer to let few spam through than lose legitimate busi
