The truth about spam


COMMENT: Spam filtering has, without any shadow of a doubt, improved beyond recognition compared to just a few years ago.

Server-side systems have evolved to the point where relatively little spam gets through the defences, and are intelligent enough to ensure few false positives leading to genuine correspondence being flushed away with it.

So why am I insisting that spam is still a problem for your business?

In the words of Aleksandr Orlov, the TV advertising meerkat rather than a Russian security researcher, simples. While the little spam that does breach enterprise defences can perhaps be thought of as a minimal nuisance as far as employee productivity is concerned, that's far from the big picture.

When Opinion Matters on behalf of GFI Software recently conducted an independent and blind survey of more than 200 UK businesses, the results were perhaps rather shocking. The volume of spam, as far as decision makers within the SMBs polled were concerned, is not going down, it's going up.

Some 61 per cent said spam volumes had risen during the last 12 months and a further 21 per cent had seen no reduction in spam traffic rates.

And that's not all. Some 40 per cent of them admitted their business had suffered a data breach as a direct result of spam.

Wait a minute, spam-based data breaches? Surely not? Actually, when you think about it, the real response should be 'nothing new there.' After all, the favourite method of getting access to your data is to get someone within the enterprise to follow a malicious link or open a malicious file in order to execute a Trojan payload of some kind. And amongst many other methods, distribution of those links and attachments via spam is a hugely popular delivery route.

The thing is that, as I see it, the malicious spam threat has never gone away. Instead it has been downplayed by a tunnel vision in enterprise security strategy, which relies upon those evolved anti-spam filters to deal with it at the expense of taking a more layered approach to the problem. The survey found that 46 per cent of the businesses questioned relied solely upon the anti-spam component of their favoured anti-virus solution to deal with it.

What I find surprising about nearly half of those asked relying upon this one-chance-only spam filtering solution is that 62 per cent also admitted their anti-spam strategy was only marginally effective, with 8 per cent stating it wasn't effective at all. Amazing, especially when you consider the top concern shown by these same companies about spam was it may harbour malicious content that could compromise their networks.

Finally, some 14 per cent of those asked didn't have any education programme in place to ensure employees were aware of the spam threat, could recognise the dangers and be able to deal with them appropriately.

Until this situation changes, until those responsible for the security of the network take off the rose-tinted spectacles and admit both server/cloud and client-side approaches are needed to trap the most spam possible, the spam problem will not be going anywhere.

So, what can you do about? Well the obvious bullet points to concentrate on have to be user education and a bit of a rethink on the filtering technology front. The latter is vital if you are to actually have a more effective method of ensuring your business stays as spam-free as possible.

Simply having blind faith in your existing anti-spam solution is of little real world use if spam is still actually getting through in enough volume to cause the kind of problems outlined in this report. Actually, I'd say that a single malicious spam is one too many, but I appreciate we do not live in an ideal world.

Throwing money at the perceived non-problem of spam is not going to be an easy sell, I grant you, but the bean counters have to factor in the risk of malicious linkage and file attachments getting through when determining the true value of a little investment to the business.

User education is vital to ensure that when those rogue junk mails do slip through they are not actioned in a way that will compromise the security of your data. The danger is that those same bean counters will see education as the cheaper option and follow that course at the expense (every pun intended) of a technology review. This, in my never humble opinion, would be a big mistake: the one is diluted too much without the other.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at