Pressure Mounts for IT to Do More Than Just Protect Against Spam, Phishing - End Users Call for Education

Tokyo, Japan November 8, 2005 Trend Micro, Inc. (TSE:4704, NASDAQ: TMIC), a leader in antivirus and content security, today announced key findings from a study that reveals how spam-enabled phishing attacks are impacting end users at work, and, as a result, influencing their expectations of IT to ensure corporate and personal information security.

The study involves 1,600 non-IT professionals from various-sized organizations in the United States, the United Kingdom, Germany, and Japan. Of all the findings, one of the most prominent is that the majority of respondents expected IT to better educate them on the dangers posed by phishing – a profit-motivated threat that is increasing in prevalence and, in the process, jeopardizing corporate and personal information. Because spam often serves as a vehicle for delivering phishing attacks, the study heightens the urgency for organizations to protect against both types of threats to ensure employee security and prevent costly impact to business.

“The results of this study indicate that end users expect IT organizations to play more of a proactive role as an educator rather than just a back-office support function,” said Dave Rand, Trend Micro’s chief technologist of Internet security. “This is because phishing hurts more than just companies – it exploits individuals personally. Considering the personal dangers associated with phishing, IT has a golden opportunity to assume a more strategic role in protecting business continuity and employees.”

The Prevalence of Phishing

According to the study, encounters with phishing vary based on the size of an organization and by country. The highest prevalence was in the United States, where 43 percent of U.S. respondents reported experiencing a phishing threat. One out of every two business organizations of less than 500 employees said they encountered phishing at work.

However, in Germany, particularly within small businesses, encounters increased in frequency. While one out of every four respondents from small businesses reported encountering phishing, more than half of those who did – 57 percent – said the number of encounters had increased in the three months leading up to the study.

Meanwhile, in the United Kingdom, the growing frequency of phishing was more evident in larger organizations, where more than two of every five (41%) enterprise respondents experienced increasing encounters.

Victims and Consequences

Regardless of the organization’s size, phishing poses a direct threat to end users’ privacy and personal information. According to the study, the United Kingdom reported the highest percentage of victims – 7 percent from small businesses and 4.5 percent from larger businesses.

“These numbers may seem small, but imagine a business with one thousand employees and forty-five of them falling victim to phishing,” Rand said. “Imagine a smaller business with one hundred employees – in the United Kingdom, seven of those employees are likely to fall victim. In the United States, odds are that two or three out of every one hundred employees will be victimized. The workplace is supposed to be a safe environment, but phishing attacks are threatening that standard.”

Of those who reported falling victim, more than half (58%) reported that their privacy was violated. At least a third said they lost personal information, experienced drop-offs in productivity, or were victims of identity theft. In addition to the personal impact on individual end users, more than one of every five victims (21%) said they lost corporate information as well.

“With phishing, the company and the individual suffer,” Rand said.

The Impact on IT

Not surprisingly, respondents did not hesitate contacting IT after experiencing a security breach. For example, in Germany, almost half (44%) of all respondents from small businesses said they contacted IT to report a security breach. For larger German enterprises, 38 percent of the respondents reported security issues to IT. Based on these figures, a company with 1,000 employees could hypothetically incur helpdesk calls from 380 end users – a scenario that could place immense pressure on IT’s support capabilities and response times.

“If a security breach occurs, IT can easily become overwhelmed,” Rand said. “When this happens, the end user loses personal information while the company loses productivity and opportunity costs. Phishing is more than a security issue. It is a business problem.”

More Education, Better Protection

Although many respondents indicated that their IT organizations had implemented anti-phishing solutions, their effectiveness was called into question by at least a third of those surveyed in each country. The lack of confidence was highest in Japan. Almost two of every three Japanese respondents (63%) said their anti-phishing protection was not good enough. The smaller the organization, the more pervasive the sentiment. Three of every four Japanese respondents from small businesses lacked confidence in their anti-phishing protection.

When asked if their IT organizations could do a better job of protecting them from phishing, 43 percent of all Japanese respondents said yes. At least one of every four surveyed in the United States and United Kingdom agreed.

But in addition to protection, many of the respondents said IT could do a better job of educating them about phishing and how to avoid falling victim to an attack. Again, Japan expressed the most concern over IT’s role as an educator – 63 percent believed that IT could do a better job of educating them as a proactive, precautionary measure. Half of the end users surveyed in the other three countries also felt IT could improve its efforts in education.

“Protecting against spam and phishing requires more than just a product. It requires unifying security and business as one initiative,” Rand said. “IT needs to assume a proactive, preventative role via education. It needs to leverage the growing awareness of phishing, educate end users how to avoid falling victim, and warn them of the consequences associated with engaging in risky online behavior at work.”

Survey Methodology

The survey was conducted online in July and September 2005. More than 1,600 corporate end users from business organizations in the United States, United Kingdom, Germany, and Japan responded to the survey.

About Trend Micro, Inc.

Trend Micro, Inc. is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has business units worldwide. Trend Micro products are sold through corporate and value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit our Web site, www.trendmicro.com