Over half of the IT managers who responded to a Web@Work survey said that they were concerned about spyware--sometimes bundled as hidden components in freeware programs--infecting the network where they worked, with almost 40 percent having had employee workstations affected.
Graham Pearson, regional manager for Southeast Asia and Australia at software house Websense--which carried out the survey--said that it's very hard to educate users about spyware.
According to the survey, only four percent of employees were aware of spyware on their computers. -[Users] are starting to hear the word 'spyware', but don't really know what it's about," Pearson said.
Steve Bittinger, a Canberra-based research director for industry analyst Gartner, spoke to ZDNet Australia about how enterprises can reduce the risk of having employees download inappropriate software or content from the Internet.
-The most effective approach is based on policy, standards and creating a 'culture of security', augmented by carefully selected security technologies," Bittinger said.
The fundamental message was that tools should be preceded by policy, according to Bittinger. -The single greatest risk in an organisation is the people," he said. -[The] best way to deal with that is through effective policy and training."
Companies could undertake a training programme, like a marketing initiative, when they release updated security policies and guidelines. This could include training with new staff members, signing agreements about an organisation's rules and policies, and refresher courses for existing staff members.
A culture created by the senior executive team, such as the CEO and board, is also important, argued Bittinger. -Executives make a lot of decisions about what matters and what doesn't matter...and in the end that creates the culture of the organisation," he said.
Bittinger said that if top executives didn't give the impression that the policies were important, and that they were following them, then it was hard to create a culture where staff would take the IT security policy seriously.
Andy Norton, product manager at Symantec, agreed that user awareness was critical when it came to gaining mindshare from staff about security policies.
Norton said that users being unaware could be a problem, because staff needed to know why security policies were in place. He suggested that CIOs and IT managers get the HR department involved in IT security policies. -[Organisations] need an integrated approach...they need to be proactive in their security," Norton said.
A research note issued by Gartner earlier this year also highlighted how virus attacks often reinforce the need for organisations to protect themselves against threats. -The SQL Slammer attack underscores the urgent need for enterprises to ensure that no unauthorised server processes are running on their networked desktops," it stated.
The research note included capabilities such as instant messaging software, peer-to-peer file-sharing software, Web applications that allowed offline data entry and spyware programs.
The authors suggested enterprises could lock down corporate desktops, to gain the greater improvements in security. This included not allowing users to install any software on the standard corporate desktop image.
-Fewer than five percent of enterprises have been able to take this step, typically because influential users complain that the lockdown adversely affects their job performance," the research note stated. -However, a confluence of factors--heightened security concerns, the current slowdown in IT spending and harsh job market--has given IS organisations a window of opportunity to gain approval for desktop lockdown."
3%
2%
