Webroot has recently published an interesting study, available here (registration required), on latest Web-borne threats and their economic impact providing also useful suggestions on how to implement an effective defense.
The survey revealed a direct correlation between free access to web resources by employees of the companies and the level of exposure to cyber threats such as malware and phishing attacks.
The research assessed the state of the Web security layer in organizations throughout the United States and the United Kingdom, focusing the analysis on those companies that currently have a Web security solution or plan to deploy one in 2013
Web-borne attacks are impacting in meaningful way businesses and their operations, the principal negative effects on the business are in the form of reduced employee productivity, increased help desk time to repair damage and of course disruption of business activities.
“More severely, 4 in 10 companies reported that Web-borne threats compromised the security of customer data and impacted their company’s bottom line. Attacks that use spam, spear phishing and “drive-by” downloads increase the cost of data breaches. Many advanced persistent threats use these methods to gain a foothold in corporate networks.”
Companies that suffered cyber attacks and that have had their Web sites compromised reported significantly higher rates of correlated cyber menaces such as
Phishing, keyloggers/spyware, drive-by downloads, hacked passwords, social engineering attacks and SQL injection attacks.
“An alarming 57% of companies whose Web sites were compromised had the security of customer data breached, 55% reported a significant impact on company finances and 46% said the company’s reputation was damaged.”
The following table reports the Top Web security challenges in 2013 for security administrators, it’s evident that malware-based attacks and preventing data breaches are the most significant commitments.
The authors of the survey suggest to mitigate the business risks adopting a layered defense with effective endpoint and Web security and monitoring needs to be in place.
Following study Key findings:
79% percent of companies experienced Web-borne attacks in 2012, almost totality of Web security administrators agreed that Web access is font of risk for their company especially for malware based attacks. The survey demonstrated that despite the awareness of the risks related to cyber threats, only 56% of interviewed declared they had implemented a Web security protection and more than half of companies without Web security had Web sites compromised.
“Protecting against Web-borne malware should be a high priority for all organizations since once inside a network, the propagation of malware can take down the entire company, effectively disabling an organization,” said Sara Radicati , President and CEO at Radicati Group. “Finding a balance between providing employees Web access and ensuring corporate information security requires a solid Web security solution and is an essential requirement for companies to avoid this costly liability.”
As said several time the trends that are increasing exposure of companies to cyber threats today are mobility, social networking, BYOD and cloud computing, cybercrime is taking advantage Web-based vulnerabilities causing serious damage.
Phishing represents one of the fastest-growing causes of data breaches and data loss as cybercriminals become progressively adept at luring users into divulging sensitive corporate data. The study states:
” … more than half of companies surveyed experienced phishing attacks in 2012. Phishing is particularly challenging because cybercriminals launch new sites that masquerade as legitimate sites so quickly and for such a short period of time that most existing Web security fails to detect them.”
Interesting the comparison of the impact of cyber threats on organizations having different size, larger organizations are exposed to major risks of breaches or incidents. Compared with firms that have 100 to 999 employees, companies with 1,000 to 4,999 employees are at higher risk of Web-borne attacks, they have higher rates of compromised Web sites, hacked passwords and social engineering attacks.
Large business reported that 65% reported the attacks disrupted business activities, 45% said company finances were negatively impacted and 38% reported the reputation of their company was damaged.
Which is the estimated impact of Web-borne attacks?
Web-borne attacks are very costly to companies, in the US, 15% of Web security executives estimate the cost of Web-borne attacks at $25,000 to $99,999, 13% at $100,000 to $499,999,and 6% at $500,000 to $10 million. Additionally, in the UK, 22% of Web security executives estimate the cost of Web-borne attacks at £25,000 to £99,999, 8% at £100,000 to £499,999 and 8% at £500,000 to £4 million.
The economic impact is devastating that’s why authors suggest an innovative approach to security.
Let’s conclude with an alarming data, 44% of companies are unprotected from the cybercrime sign that there is a lot to do …
Pierluigi Paganini
(Security Affairs – Security)