A Web survey of companies with an average of 1,000 employees conducted by Osterman Research on behalf of PureWire, a Web security software as a service (SaaS) vendor, found the majority of the 139 respondents concerned about the Internet.
Fears that the Internet is an entry point for malware topped their list
of concerns, with the impact of the Web and Web security on network
bandwidth coming in second and enforcement of Web usage coming in third.
While many companies have established corporate policies against
downloading certain types of files and have deployed systems that will block such
downloads, they are not adequate solutions, the survey found.
The security problem is partly due to the outdated enterprise approach to
Web security and partly due to Web 2.0 technologies, Paul Judge, chief
technology officer at PureWire, told InternetNews.com.
Seventy-six percent of the respondents to the survey expressed concern
over the Web as an entry point for malware, 55 percent worried about the
impact of the Web and Web security on network bandwidth, and 44 percent
about employee productivity losses from Web surfing.
The remote workforce is a source of worry — 49 percent of the
respondents were concerned about enforcing Web usage and Web security
policies for their remote workforce, and 48 percent were concerned about supporting remote workers with various Web applications.
Those fears about remote workers are well founded, as they often engage in risky
behavior, a study sponsored by Cisco (NASDAQ: CSCO) has found.
“The Web and Web applications pose a serious conundrum – the productivity
gains and cost savings from the use of these tools can be significant and
will become more important given the pressures resulting from the current
economic crisis, but these tools create enormous risk for organizations of
any size,” the survey concluded.
That conclusion has a point. Browser add-ons, or plug-ins, such as Adobe (NASDAQ: ADBE) Flash, are becoming a growth industry, and Microsoft (NASDAQ: MSFT)
has said that these are becoming a favorite target for attackers.
Browsers remain a target
Meanwhile, IBM (NYSE: IBM) is betting on the browser as an application platform, a move which will increase corporate exposure to the Web.
And the browsers themselves are not so safe, either. Mozilla and
Microsoft both had to issue patches for their respective browsers earlier this month.
“Attackers have moved from e-mail to the Web because the traditional
approach to the Web is outdated and new developments like Web 2.0 introduce
challenges to Web security,” PureWire’s Judge said.
Enterprises are trying to do something about the security threat from the Web. The Osterman Research survey found that 79 percent of its respondents have established corporate policies against downloading certain types of files, 76 percent have deployed systems that selectively block downloads of certain file types, 69 percent of them use tools to block or monitor the use of Web applications at the firewall, and 31 percent use a Web security gateway to monitor the use of Web applications.
In addition, 46 percent of respondents lock down employee desktops to prevent users from installing certain Web applications and 39 percent do the same for employee desktops.
However, their attempts are not enough. Sixteen percent of the respondents said they were not completely successful in locking down employee desktops and 12 percent said they were not completely successful in locking down laptops against Web threats.
The problem could be partly due to the outdated approach to controlling
the Web in the enterprise. “Most controls in the enterprise were put in
place 10 years ago, when the main concern was controlling access to
pornographic sites,” PureWire’s Judge said. “Today, it’s a question of
security – how do I prevent users from accessing malicious Web sites – and
there’s a gap there which attackers recognize and exploit.”
The shift to Web applications is another part of the problem. “Antivirus
applications scan files and determine if the executables they contain are
good or bad, but in Web 2.0 applications like Google spreadsheets, you’re
not downloading executables to the desktop, you’re running them between the
browser and the Website so antivirus doesn’t work,” Judge said. “You need
something that understands what the Website is trying to do to the browser.”
Another issue lies in the nature of Web 2.0 technology itself, which
encourages user-generated content. “Ten years ago, content providers were
Web sites and you’d establish online trust by giving them certificates from
someone like VeriSign (NASDAQ: VRSN),” Judge said.
“In today’s world, when it’s millions of users generating the content,
how do you know whether the content is legitimate? There’s the absence of a
trust model that can deal with this.”