of firms with remote users say Web-borne attacks impacted company financials.

Transcription

1

2 Introduction As the number of users working from outside of the enterprise perimeter increases, the need for more efficient methods of securing the corporate network grows exponentially. In Part 1 of this two-part series, we examined how Web-borne attacks were impacting businesses, with the majority of companies reporting significant effects in the form of increased help desk time, reduced employee productivity and disruption of business activities. In Part 2 of the series, our report reveals that the impacts of Web-borne attacks are more severe for companies with employees who have remote access to the corporate network, or other corporate online resources, via their laptops, tablets or smartphones. Webroot recently conducted research to assess the state of Web security in businesses throughout the United States and United Kingdom. The study which focused on companies that currently have a Web security solution or plan to deploy one in 2013 found that almost twice as many companies with remote users reported Web-borne attacks by criminals, which compromised the security of customer data and negatively impacted financials. 50% of firms with remote users say Web-borne attacks impacted company financials. The proliferation of mobile devices for business use and the need to grant remote user access exposes corporate networks to high rates of malware threats, including phishing attacks, spyware, keyloggers and hacked passwords. While allowing such devices to access company resources aids productivity, the potential for new exploits to compromise businesses creates significant security risks to the companies and private data. Compounding the situation is that most traditional security solutions are ineffective at stopping zero-day malware and companies do not give priority to implementing sensible policies and controls over remote employees. Key Findings 64% of companies allow remote access to servers for 25% to 100% of employees. 90% of companies agree that managing the security of remote users is extremely challenging. 71% of Web security professionals who say managing remote users is highly challenging experienced Web-borne phishing attacks in % of US firms with remote users estimate the cost of Web-borne attacks at $25,000 to $10 million. SURVEY: Remote Users Expose Companies to Cybercrime 2

3 Study Overview In the past, corporate IT departments had the option of carefully controlling physical access to the network, as well as managing the software and hardware used by employees for network access. This approach is no longer feasible in the context of remote access. Physical security is now difficult or impossible to control, and the mobile devices used for remote access are often completely beyond the reach of network administrators. As an example, vulnerabilities in mobile Web browsers pose a major threat to mobile device security and have led to an increasing number of successful attacks in Both the devices default browser and browsers embedded within apps are possible attack points, as mobile apps are increasingly reliant on Web browsers. Additionally, mobile device browsers often do not receive patches and updates, so while corporate systems can be manually configured not to trust compromised certificates and can receive a software patch in a matter of days, it can often take months to remediate the same threat on mobile devices. The new research indicates data theft as the primary goal in new types of mobile attacks. Scenarios include exploiting a mobile browser vulnerability to get a remote shell that enables the attacker to remotely run commands on the phone s OS and malicious threats that use , SMS and the mobile Web browser to launch an attack, then silently record and steal data. According to the study, companies with 25% or more of their employees with remote access report higher rates of Web-borne attacks, with 50% experiencing website compromises in Majority of companies allow remote access Remote access computing allows those within companies including senior management, IT personnel and marketing and sales staff to be constantly connected and react quickly from any location. Six in ten companies allow 25% or more of their employees to have remote access to servers via laptops, tablets or mobile phones. The majority are concentrated in five industries: Professional, Scientific and Technical Services (20%); Manufacturing (14%); Banking, Finance and Insurance (11%); Health Care (5%); and Computer Hardware and Software (5%). Company workforce with remote access SURVEY: Remote Users Expose Companies to Cybercrime 3

4 90% of companies say managing mobile security is challenging. Managing the security of remote users is challenging Remote access helps employees connect easily to network resources. However, it is important to also reduce the risk of cybercriminals gaining access to the same resources. According to study respondents, nine in ten companies agree that managing the security of remote users is extremely challenging. Between supporting onsite staff, teleworkers and new mobile devices, IT departments are being challenged to enable secure access by ever larger, more diverse populations while simultaneously grappling with shrinking budgets and compliance mandates. Managing the security of remote users is extremely challenging Web attacks higher in companies with mobile workforces Enabling access to corporate networks from a broad range of mobile devices requires implementing sensible policies and controls, and many companies are paying the price for this lack of protection. Companies with 25% or more of their employees accessing the network remotely experience higher rates of Web attacks. Alarming results show half of companies with remote users had their websites compromised and over a third had passwords hacked. Twice as many companies with remote users were victims of SQL injection attacks. Higher rates of Web attacks on companies with remote users SURVEY: Remote Users Expose Companies to Cybercrime 4

5 Impacts of Web attacks are more severe for firms with remote users Companies with mobile workforces experience more serious impacts when cybercriminals attack. Seven in ten companies with one-quarter or more of employees with remote access reported that Web-borne attacks required additional IT resources to manage Web security, significantly reduced employee productivity and disrupted business activities. More concerning, almost twice as many companies with a mobile workforce reported that Web-borne attacks compromised the security of customer data, negatively impacted financials and damaged the company s reputation. Impact of Web-borne attacks Cost of Web attacks is higher for firms with remote users Research shows that half of US companies with remote users estimate a cost of $25,000 to $10 million due to Web-borne attacks in This is nearly double the rate of companies with less than 25% remote users. In the UK, 43% of firms with remote users estimate the cost of attacks at 25,000 to 4 million, more than double the share of firms with less than a quarter of employees with remote access. Web-borne phishing attacks most prevalent Among Web security professionals that find managing mobile security highly challenging, seven in ten experienced phishing attacks and five in ten dealt with keyloggers and spyware, drive-by downloads and Web site compromises in Companies Highly Challenged by Managing Mobile Security SURVEY: Remote Users Expose Companies to Cybercrime 5

6 50% of companies with remote workers had Web sites compromised. What can companies do? Mobile browser security is essential to reduce the vulnerabilities from websites containing malware, stop phishing attacks and reduce the risk of data loss through browser-based malware. Webroot advises companies to enforce a secure Web browser policy for all mobile device users. This should be mandatory if employees are to have remote access to any corporate network, or other corporate online resources via their laptops, tablets or smartphones. The following secure browser controls and components will reduce the risks associated with mobile browsing. Integrate Browser-Based URL Filtering At the most basic level, browser-based URL filtering technology stops users from accessing undesirable or malicious websites, including many that may host malware. With company-owned devices it will also allow administrators to enforce compliance with acceptable Internet usage policies. Enforce Device-Level Security A privacy or identity shield feature helps by isolating the browser from the rest of the device and stopping keyloggers (or other malicious software) from intercepting data about what a user is doing online. Thus, items like passwords, authentication credentials and any other sensitive information is protected. Perform Real-Time Reputation Rating For even safer browsing, being able to perform real-time reputation scoring of search engine results from Google, Yahoo, Bing and Ask, and then identifying those results as safe, unknown or known threats, stops users from clicking unintentionally through to malicious sites. Deploy Antiphishing Detection Given the prominence of phishing attacks, it is critical to block phishing sites based upon their characteristics, rather than blacklists that are immediately out of date, in order to stop these shortlived websites from stealing corporate or user data. Establish Content Control Policies The ability to control browser content uploads and downloads is another important feature as often the posting of company documents to a personal account or cloud storage service contravenes compliance rules and leads to undesirable data leakage. SURVEY: Remote Users Expose Companies to Cybercrime 6

7 Survey Methodology In 2012, Webroot commissioned a study to measure the prevalence of Web-borne attacks and identify factors that mitigate the consequences. The scope of the research included companies with 100 to 4,999 employees that currently have a Web security solution or plan to implement one in From December 20 through December 24, 500 Web security decision-makers (403 in the US and 97 in the UK) completed the online survey hosted by Qualtrics. Research Now provided respondents from their online panel of IT and business executives, and Lawless Research provided quantitative data analysis. The margin of error for the study is +/- 4.4 percentage points at the 95 percent level of confidence. About Webroot Webroot is bringing the power of software-as-a-service (SaaS) to Internet security with its suite of Webroot SecureAnywhere offerings for consumers and businesses. Webroot also offers security intelligence solutions to organizations focused on cyber-security, such as Palo Alto Networks, F5, Corero, Juniper, SOTI, NEC, and others. Founded in 1997 and headquartered in Broomfield, Colorado, Webroot is the largest privately held security organization based in the United States. For more information, visit webroot.com or call Read the Webroot Threat Blog: blog. webroot.com. Follow Webroot on Twitter: twitter.com/webroot. Webroot Headquarters 385 Interlocken Crescent, Suite 800, Broomfield, Colorado USA 2013 Webroot Inc. All rights reserved. Webroot, SecureAnywhere, and Webroot SecureAnywhere are trademarks or registered trademarks of Webroot Inc. in the United States and other countries. All other trademarks are properties of their respective owners. SURVEY: Remote Users Expose Companies to Cybercrime 7