Cyber Security Industry Alliance Newsletter •  Volume 3, Number 1  • September 2006

CSIA Member Spotlight


Name: SurfControl plc

CEO: Patricia Sueltz

Founded: 1997

Headquarters: Scotts Valley, CA

Number of Employees: 500 people in offices across the United States, Europe and Asia/Pacific. 

Total Revenue: £52.46M in 2005

About SurfControl: SurfControl plc (LSE: SRF), makes Internet communication a business advantage – and not a threat. Best-in-class products and solutions help customers achieve business and regulatory compliance, increased security and control, and improved resource efficiency.

SurfControl protects at multiple points of Internet vulnerability: in the "cloud" with on-demand mail and web protection services, at the enterprise gateway with software and appliances, and on the desktop or mobile client. All of SurfControl’s products are backed by industry-leading threat detection technologies, delivered by SurfControl's Global Threat Experts who work 24/7 to provide customers with dynamic zero-day protection. The company has more than 23,000 customers worldwide, 14.5 million users, and employs more than 500 people in offices across Europe, the Americas, and Asia/Pacific.

SurfControl’s vision continues to become more relevant as threats increasingly blend multiple methods of transmission, and extend into more Internet technologies. SurfControl will continue to provide customers with unified threat protection solutions that fit seamlessly into their enterprise security infrastructure, and control threats before they jeopardize the network and the business.

The Burglar in the Basement

Historically, the approach to enterprise security has been to make the fortress bigger - install more products, write more policies. Yet despite heightened security awareness and cutting-edge tools, 2005 was the worst year on record for corporate security breaches. The problem is, attackers are as advanced as the defenders — and the attacks don’t always come from the expected direction.

Inside job

The fact is, the biggest threat to an organization lies within its boundaries. In its 2005 survey, "The Global State of Information Security," PricewaterhouseCoopers found that 33% of Information Security attacks originated from internal employees while 28% came from ex-employees and partners. Law enforcement experts estimate that over 50% of breaches result from employees misusing access privileges, whether maliciously or unwittingly.

One of the key internal corporate threats is spyware, because it’s all too often introduced without malicious intent


So securing the enterprise isn’t just about stopping external threats. It’s just as important to contain the threat from hapless or hazardous employees.

One of the key internal threats to corporates is spyware, because it’s all too often introduced without malicious intent, by employees that naively click through a couple of pop-up browser windows, or install an unapproved yet 'cool' application on the network. The situation isn’t helped by the myths that surround spyware.



Put simply, to keep the burglars out of the basement, prevent employees from letting them in…

Use network Web filters, spyware blockers at network and desktop and spyware installation blockers

There are six common spyware myths:

  1. It’s an isolated problem
  2. Blocking at the gateway is good enough
  3. Locking down the desktop is good enough
  4. Drive-by downloads are a primary source of penetration
  5. The problem comes from the outside in
  6. No one wants spyware

But the truth is somewhat different:

  1. Most spyware comes in as the direct result of user behavior, whether that user is naïve or ill-intentioned.

  2. Stuff comes in at the desktop all day long. Blocking at the gateway without securing the desktop PC doesn’t make security sense. It’s like locking the doors and windows of the house - with the burglar still in the basement – and not bothering to call the police. What’s more, gateway defenses cannot detect threats already on desktop PCs.

  3. If "locking down" the desktop and restricting user installation were effective, there would be no need for antivirus software. Spyware is designed to get a
  4. round acceptable use policies and exploits users’ inquisitive nature.

  5. "Drive-by downloads" should never occur in a corporate environment, because they come from sites that users should not visit at work.

  6. Sure, spyware comes from outside - because someone opened the door and let it in. Not recognizing this results in a porous security infrastructure.

  7. True, no-one actually wants spyware, but it comes as part of that cool application that users do want. So spyware gets installed anyway.

Spy trap

So what can companies do to minimize internal threats? First, make a Web filter a required part of the network security arsenal. This should prohibit users from visiting known spyware and ‘drive-by download’ sites.

Second, deploy an effective email filter that blocks spyware from entering the network via active HTML, attachments, phishing and spam. There also needs to be protection at the desktop to stop spyware as it’s introduced.

Lastly, implement a solution that disallows running or installing programs that in turn install spyware.

Put simply, to keep the burglar out of the basement, organizations need to remove the ability for employees to let burglars in. They need to implement tamper-proof solutions that users cannot easily evade – no matter what the external inducements.