For infographic based on the UK survey results click here.
A decade ago, unsolicited email aka spam, was a big problem. It filled inboxes with infected attachments, malicious links and claims of riches that required a simple reply (and your bank details).
Fast forward 10 years, myriad technological advances, and yet spam hasn’t gone away. Spam filters have become part of the IT furniture, so to speak, but unsolicited email still finds its way into inboxes.
It continues to disrupt businesses and the volume of spam, even though it has come down to a degree, can still be in the region of 50 per cent of all email received. That is still a lot of spam. Five valid emails in 10. That is five possible email-borne security threats.
Spam is one of the most aggressive cyber battles that IT departments must wage, especially since hackers and scammers have achieved new levels of sophistication and cunning with their scams and attacks. Criminals are increasingly using spam to deliver malware payloads into the workplace with the intent of either causing disruption, holding PCs and servers ransom or even stealing valuable information that can be sold or used for fraud.
Infected machines mean unproductive computers and users, limiting business activities and, as a result, losing money. Stolen data can result in everything from fines to lost customer confidence, while even non-malware spam creates disruption by clogging mailboxes, filling up storage and consuming IT admin time that could be put to work on more valuable tasks.
Unfortunately, the weakest link is not the technology but those who use email. To be more specific, those who time and again fail to heed advice, email use policies and clear ‘do-not-click-on-links-or-open-attachments-from-suspect-senders’ warnings from IT.
Many take spam for granted these days and put their trust in spam filters on their machines or at server-level, however, a recent survey by GFI Software into spam email in the workplace showed that spam has far from been eradicated.
The blind, independent study was conducted for GFI Software by Opinion Matters, surveying 200 US IT decision makers from organizations with between five and 1,000 employees.
According to this independent study, 69 percent of US organizations surveyed have seen their day-to-day business operations severely disrupted or completely halted as a result of at least one spam-related incident in the last year.
Furthermore, 36 percent of those surveyed have been affected as many as three times a year, with substantially negative impacts on productivity, as well as creating significant expense for the business if PCs and servers need to be disinfected or reinstalled to recover from malware-based spam being opened and executed by a user. Fifteen percent of respondents also admitted their business experienced major spam-related IT failures more than 10 times in the last year.
Key findings from the US-based survey include:
- Phishing is the most common type of spam that companies combat, with 49 percent of respondents citing it as the most prevalent type of spam their organization receives.
- Banking spam, from real, but unsolicited companies, was the second biggest problem, named by 44 percent of respondents.
- Dating site spam was the third most common type, with 34 percent of respondents reporting it as their main concern.
- 56 percent of those surveyed detected an increase in spam levels over the past year, while only 13 percent saw their levels of incoming spam decrease.
- 77.5 percent of companies rely on end-users to exercise their best judgment in dealing with any spam not caught by a server-side or client-side filter.
Spam’s share of overall email
Despite the perceived growth in the volume of spam that organizations must manage, spam’s overall share of email traffic remains relatively low. Thanks in part to the growing reliance on email for everyday business communication and increased volume – both internally and externally – 40 percent of those surveyed reported that spam accounts for no more than 15 percent of their overall email traffic, indicating that spam-related damage is a bigger challenge than volume. However, one third of respondents also admitted that spam accounts for up to one quarter of their overall email traffic, and a further 13 percent said spam accounts for up to one half of overall traffic. These heightened rates of incidence significantly increase the chance of malicious spam getting past filters and fooling unsuspecting users.
The numbers are similar when looking at spam’s impact on email storage. Effective filtering, paired with good policies and training, should ensure that most spam gets trapped at the server, and anything that leaks through is either dealt with by client-side spam measures and user best practice. While 45 percent of those surveyed said that spam accounts for up to 15 percent of overall stored and archived email, one-fifth put the figure at no more than 10 percent of total storage. The remaining 36 percent are dealing with a major storage overhead, with up to half of their mail storage consumed by spam, costing the company money and delivering no value.
Networks face the most likely disruption
The most common form of spam-related disruption is network disruption, according to 27 percent of those surveyed, while 22 percent have been hit by malware as a result of a user responding to a spam email. When organizations have been disrupted by a spam-related disturbance – for example, a user clicking on a malware-infected attachment or link to a malware-filled website – the disruption to the business is substantial. The survey revealed that 48 percent lost up to three hours of productivity as a result of a spam incident. More than one-third (34 percent) have lost up to five hours per incident, while nine percent have lost up to nine hours – more than a full work day in most organizations.
“The impact of a spam incident on a business should not be underestimated. Lost productivity not only has a cascade effect across the business, it directly hits a company’s bottom line. If you are lucky, the time spent by IT recovering a PC or server will be quick, but if machines and data are stolen or locked up in a ransomware scam, the time and cost to the organization can quickly spiral,” added Galindo.
The role of spam filtering and policy
Despite some uncertainty over who is responsible for spam, there is some clear policy guidance on what to do with it, with 69 percent of respondents advising users to simply delete anything that appears to be spam from their inboxes. Only 3 percent do not have a policy.
Unfortunately, in their effort to cope with the ever-increasing complexity and sophistication of spam – particularly phishing mail – some legitimate mail can generate false positives and be blocked, more so if spam filters are not configured correctly. Almost two-thirds (65 percent) of respondents have experienced this in the past year, with almost half (46 percent) only experiencing up to three false positives a year.
The full survey results for the US and a similar survey conducted in the UK can be found at: http://www.gfi.com/documents/GFI-Spam-survey-2014.zip