MessageLabs has released its March Intelligence Report, which analyzes patterns in Web-based threats during the first quarter of 2007. Quarter-on-quarter spam levels have risen to 76.3 percent, their highest in two years.
The report highlights the impact of increased spam levels on small to midsized businesses — these organizations receive more than double the volume of spam per user each month than what’s received by large enterprises.
MessageLabs has decided to dedicate close study to this issue, going so far as to launch a Small Business Security Clinic. Its first initiative is a contest to win a free “security makeover.”
Through a questionnaire on its Web site, the research firm hopes to find six of the most IT security-challenged small businesses in the United States and United Kingdom that will receive MessageLabs’ e-mail and Web security services free for one year. Entries are due by May 11.
The point of this contest is to raise awareness among small businesses of the security issues they face and how these differ from large companies’.
“We’re trying to make [small businesses] aware of and understand threats to their businesses, what those are and how they could potentially manifest themselves and really focus on the key risks and eliminate them as much as possible,” said Paul Wood, MessageLabs senior analyst. “Small businesses tend to try and take the problem in hand themselves and end up with a mixture of different solutions that don’t necessarily integrate very well, and they become difficult to manage and maintain going forward. It also puts a particular dependence on IT staff within the organization, so that when they leave, you’re left with a difficult problem in replacing them.”
Spammers don’t discriminate in the size of the organization they target. In many cases, they programmatically create spam, targeting a particular domain name and generating e-mail addresses by using a combination of, for example, first names and last names.
Spammers can generate hundreds of thousands of messages sent to a particular domain. Almost all of them fail because the randomly generated e-mail addresses don’t exist, but the mail server has to process all these connections, missed or otherwise.
“Even if you have anti-spam software in place, it doesn’t help you in that situation because you’re still being deluged with a huge volume of these messages,” Wood said. “From a small-business perspective, that number of connections being processed by the mail server can result in a catastrophic failure. Even if it doesn’t cause problems on that scale, at some point, the IT people will be looking at improving the scalability of their servers and wonder why this server doesn’t cope with the small amount of mail they receive. They’ll be looking at things like bandwidth or memory or disk capacity without really understanding what’s causing the problem in the first place.”
Further, smaller organizations often don’t perceive themselves to be at a higher level of risk than larger organizations, which in many cases, have been forced by information security regulations to assess and manage their level of risk.
A smaller organization sometimes indirectly arrives at such risk assessment when it supplies a larger organization, which enforces its level of risk management on the smaller company.
“In a large organization, you tend to find that it has more resources dedicated to an in-depth approach to filtering out e-mails,” said Wood, who added that managing problems such as spam and unwanted e-mail can become a full-time job. “You have to be on top of the latest trends and threats and be able to update your mail server very rapidly. That’s not realistic for a small company. It’s difficult for a large company to try and coordinate that, and they have more resources focused on that.”