Just when you thought that viruses and spam were the Internet’s chief menaces, along comes spyware. This new venue of Internet angst is a program which transmits your computer’s browser history or other personal information to a remote server.

Sometimes an innocent banker installs the spyware without suspecting that their new ‘free password wallet’ also records which web sites have been visited.  Sometimes spyware accompanies a legitimate-looking application. Notification of the unexpected spyware guests is deeply buried in the license agreement, which few users even skim. Sometimes popup ads install spyware when an unsuspecting user clicks ‘next’ in the popup window.

These long-standing spyware installation techniques share one characteristic — they require user action to be installed. But today’s new spyware combines vulnerabilities in Internet Explorer with popup windows to install itself without user interaction.

Microsoft has released patches to guard against several of these vulnerabilities; however, new spyware that exploit different vulnerabilities seem to crop up each week. These programs are more than simple annoyances — they are “Trojan horses,” actively attempting to co-opt your personal information or computing resources.

How can a financial institution protect itself from future spyware attacks? Preventative measures work best. Here are a few ideas to stem the spyware tide:

Web Filtering Policy
Consider using a custom web filtering policy to limit access to Internet resources. You might block access to non-business-related web sites such as shopping and news sites. Web filtering can also block access to dangerous file types, such as .cab and .exe files, which allow spyware to damage your institution’s computers.

Increasing numbers of banks and credit unions are now considering a ‘default-deny’ policy for web browsing. The underlying principle: it’s better to block first and ask questions later when the motive of a particular website is doubtful. This method is highly effective in protecting your employees from malicious sites, but can be a maintenance nightmare if a comprehensive list of ‘safe’ sites is not compiled ahead of time.

Patch!
There are good reasons for institutions to keep their software patches up to date. New Internet Explorer vulnerabilities emerge all the time. As soon as a patch is available, several spyware and virus authors are already exploiting the vulnerability. Don’t let them make you a victim! Many hackers write and release their malicious code up to a year following a patch announcement and still infect millions of computers because software patches have not been installed.

Enterprise patch management solutions can automate the patch application process to scores of workstations and servers simultaneously. A good patch management solution will enable your institution to test and deploy software updates in far less time than hand installation. It should also simplify rollbacks if something goes wrong. These products produce reports to prove patching activities to auditors. Among the top solutions are Patchlink, Symantec’s ON iPatch product, and Marimba. If your budget precludes a commercial patch management product, Microsoft has a free utility called Software Update Services (SUS) which provides much of the functionality of the commercial patching solutions.

Spyware Removers
Run legitimate spyware removers such as Ad-aware or Spybot regularly.  Better yet, run more than one, as each has strengths and weaknesses. Treat your spyware removers like your virus scanner – keep them up to date with the latest signatures. But beware, many programs claim to remove spyware but actually install their own instead!

Anti-virus Software
Run up-to-date anti-virus software, too. While spyware programs aren’t technically viruses, more antivirus programs are developing signatures to catch and remove them. If time or expertise is in short supply, consider using a technical service. Many services can help via a secure remote connection, saving the expense of an office visit.

Different Browser?
Consider migrating your employees to a different web browser like Mozilla Firefox (http://www.mozilla.org/products/firefox/) or Opera (http://www.opera.com/). These browsers significantly improve on Internet Explorer’s functionality and have fewer security issues.  However, some websites do not function properly with non-Internet Explorer browsers, so test thoroughly before undertaking a full-scale migration.

In conclusion, spyware’s growing threat deserves careful consideration and countermeasures. While it’s not possible to completely eliminate your institution’s exposure to spyware, preventive measures can effectively protect you and your staff.