No one else to blame: Businesses that fail to stop Web-based Malware

by Steve Ragan - Sep 24 2008, 11:16

Webroot, in a report investigating the impact of Web 2.0 on the Enterprise, said that over 80 percent of Malware is now being distributed on the Web. Adding to this fact, is the claim that businesses are lacking when it comes to properly protecting themselves from the threat.

Over the last year, Webroot looked at Web-related threats and attempted to learn how businesses defended against them by talking with 648 Web security product decision-makers in Australia, the United Kingdom, Canada, and the United States.

What they discovered is that while businesses depend on Web applications to execute critical functions like customer support, research, and ad campaigns, IT professionals fail to comprehend the new set of threats that have been introduced since the business world joined the Web 2.0 trend.

“Only 15 percent of the businesses Webroot surveyed reported solid enforcement of Internet usage policies to reduce their organizations’ vulnerability. Industry research shows 49 percent of businesses allow employees unlimited access to social networking sites, which do not monitor their content for malware. Further, more than 85 percent of organizations still rely solely on desktop defenses which do not scan for malware in inbound Web traffic.” Webroot said in a release on the report.

However, as Webroot is a security vendor that has a vested interest in these numbers, let's skip the data and look at something else.

“One out of four businesses reported a Web-based threat compromised confidential information, threatened online transactions or caused a Web server outage,” reads a Webroot bullet point.

The question here is why? Why were these servers lacking protections that led to outages or compromise? Where was the IT department in all of this? What percentage of these compromises was a direct result of SQL based attack, or a Web application compromise? What processes were in place to audit security on these servers and commerce applications? According to the bullet point, there were no processes in place, because there was a compromise of the system.

Processes and controls help. No security suite in the world will save your network if you fail to test your own security occasionally. No security vendor makes a true all-in-one solution. This is why you layer your security on a network.

Other bullet points from the Webroot release include: “Nearly half the businesses surveyed expressed concern about data breaches. One out of five respondents did not know which compliance laws apply to their business.”

They are afraid of breaches, yet 20 percent are missing a clue when it comes do compliance regulations that govern their businesses, which since this happens to be a report on Web 2.0, you can almost assure is PCI at the least.

How does this happen? How does a company get a “security product decision-maker” that's clueless to what compliance measures need to be enforced in their place of business? How?

One idea centers on the harsh reality that companies want security, but are unwilling to pay for it. Sure, recent research tells you that IT budgets are increasing slightly for 2009. Most of this spending is aimed at security. The reasoning for the slight jump in budgets is fear. Fear that the company will not meet compliance regulations, or fear of ending up on the 11 o’clock news.

That’s all well and good, but these same reports fail to mention that security is often given the least amount of the overall budget for IT services. If spending is going up in IT, that means that more security products are being bought, but less is being spent on training and infrastructure. You have to have a nice even fit and continuously work to refine the process.

What good does a $50,000 USD security suite do for a business that's running a network on Windows NT with outdated servers? Even servers just five years old are being replaced today, because of advances in technology that increases the total performance and investment growth. Green IT, virtualization, scalable network designs, each of them buzzwords that companies latch on to.

So yes, spending in IT is going up, and security is the driving force. However, the spending is wasted if the hardware running the new security suites is vulnerable, or the staff cannot deal with the changes in the threat landscape online.

“Web-based applications are extremely or very important for providing customer support at nearly half of the businesses surveyed. Forty-four percent of respondents reported access to Web-based [HR and benefits] applications is extremely or very important for their business,” reads another set of bullet points.

Yet, with that said, Web-based threats are on the rise and businesses are doing little to stop them, according to the theme of the Webroot report. Spin it however you want, the numbers and figures don’t lie.

Businesses want it all, but don’t want to cover the expense, and what they are left with are vendors that try to fill the gaps by offering the all-in-one product that will never cover everything.

The solution is layers. Layer the security, and tailor the solution to meet the needs of the specific business. Purchase security that can grow with the business model, and advance the infrastructure and business at the same time. IT and security need to be a part of any business plan, especially if it centers on Web 2.0 technology.

Around the Web