A new survey of 500 UK IT departments by SurfControl plc has found 62% of networks are known to have been infected by spyware. More than one in eight of the IT directors, CIOs and managers that participated were unable to identify whether or not their network had been infected.

IT departments are using a range of tactics to protect networks against malware, including desktop anti-spyware software (59%), content filtering (47%) and prohibiting access to sites known to carry spyware through an Acceptable Use Policy (33%). Yet despite the variety of approaches used to combat the threat, 59% of the survey's respondents had been forced to allocate time to clean-up their systems from malicious applications on their networks and workstations.

Compared to the time taken to deal with other security risks, spyware currently ranks lower than virus infections and spam, but it is already proving a greater drain on resources than protecting the network against hackers, making the threat to corporate security both real and significant. For almost three quarters of participants, the time spent removing spyware amounted to less than an hour a week, but for 19% it took up to two hours and 4% claimed they spent more than 5 hours each week cleaning up after infections.

"The frequency with which IT departments will encounter spyware is only going to increase and inflict further strain on already stretched resources," argues Steve Purdham, CEO at SurfControl. "It's clear that existing anti-spyware products are not delivering on their promise, as more than half the people we surveyed were already expressing serious concerns over the amount of time that they currently spend removing spyware. Just like the spam epidemic we certainly expect that this situation will get worse before it improves."

According to Purdham, there are a number of key factors that have influenced the emergence of spyware as a serious threat to company networks. "Spyware is a symptom of user behaviour. Any organisation that allows gaming software, P2P applications and IM systems to run without restrictions is exposing itself to risk, as these are some of the most common ways in which malware can enter the network. Tighter control of the dissemination of these systems is essential in the fight against the emerging malicious threats that we are now seeing. But, allied to this, the approach that many anti-spyware solutions take undermines the organisation's very ability to enforce information security measures by allowing users, rather than administrators, to decide whether or not a suspicious application should be allowed onto their desktops."

Purdham argues that the only way to overcome spyware is by centralising the control of any security solution, regardless of whether it is protecting the gateway or the desktop, as all anti-spyware systems should. "Deploying a client based anti-spyware solution, or one that can be tampered with by the user, not only leaves organisations with a false sense of security as it will not extend them the cover they believe they have invested in. Ultimately, they will still have the headache of removing applications from infected machines."