Attacks on businesses have increased drastically over recent years as new vulnerabilities are discovered and exploited. As a matter of fact, 8 out of every 10 businesses experienced some type of web attack in 2012. Adobe, Java and Flash browser extensions account for the majority of vulnerabilities that are exploited. A properly secured web defense system is a must for any business, small or large, that deals with client data, online sales, or just stores company data online. This information is sensitive and confidential and should be protected by a secure system that includes endpoint protection and monitoring features.
A recent study by Webroot focused on companies that either have a web security solution or planned on implementing a system in 2013. The vast majority of businesses reported that they had been impacted, and the results of the web attacks included reduction in employee productivity, increases in help desk and IT staff time, disruption of the normal business operations, and loss of data. Some additional results of the study are as follows:
- 88% of Web security administrators say Web browsing is a serious malware risk to their firm.
- Phishing is the most prevalent Web-borne attack, affecting 55% of companies.
- Web security administrators report that Web-borne attacks have a significant negative impact on help desk time, IT resources, employee productivity and the security of customer data.
- Companies that deploy a Web security solution are far less likely to be victims of password hacking, SQL injection attacks, social engineering attacks and Web site compromises.
Hacking tools are easily available
One of the problems is that hacking tools, once kept secret by black hat hacking groups, are much more prevalent across the web today. There are numerous websites offering information on attacking websites, social network accounts, email accounts and more. Many of these sites even offer the tools needed. Hacking tools were once only able to be used on powerful Linux machines, but over the years have become modified so that anyone with the slightest bit of computer knowledge can run the programs successfully using Microsoft Windows or other common operating systems. The availability of these tools has helped contribute to the high increase in the number of attacks on businesses. However, businesses that had a web security solution and solid backup plan in place reported less successful attacks on their systems than those businesses without.
Of all businesses surveyed, the top ranking security challenge businesses face today is protection of corporate networks against web-based malware threats. Prevention of data breaches and data loss were the number two most-ranked challenge. However, only 56% of those businesses reported the implementation of web security protection.
Phishing is one of the most widespread web attacks, and has a high success rate because the attackers create a website that simulates a legitimate site in order to trick users into entering their confidential details. For instance, an attacker may create a website that looks exactly like the front page of your financial institution’s website, then they send you an email pretending to be from that institution which contains a link for the user to click on. Once the user clicks on the link, they are taken to the fake page where they will usually enter their information. This information is instead snagged by the attacker, who will instantly have access to your real banking account. More than 50% of businesses surveyed reported phishing attacks in 2012.
Phishing can be particularly dangerous to companies who store their data in the cloud. If an attacker successfully gains access to the company cloud account, they will have access to whatever is stored there- sensitive company information, confidential client information, contracts, financial records and information, and much more. The attacker may choose to steal this information, but he may also choose to delete the information. Without a solid cloud backup plan in place, this company can suddenly find themselves missing a lot of important data. Of the businesses surveyed, 4 out of 10 reported suffering impacts from data breaches.
The risk of data loss
While the risk of data loss for small businesses is quite large, companies with over 1,000 employees showed a higher increase in the risk of suffering data loss. The majority of successful attacks are phishing attacks, followed by keyloggers, spyware, drive-by downloads and social engineering attacks, resulting in compromised websites, hacked passwords, data breaches and data loss. While larger companies did show an increase in the number of successful attacks on their systems, small businesses reported a high number as well, as you can see from the chart below.
The cost of being unprepared
Successful web attacks are costly and can have devastating effects. In the US, 15% of Web security executives estimate the cost of Web-borne attacks at $25,000 to $99,999, 13% at $100,000 to $499,999, and 6% at $500,000 to $10 million. Additionally, in the UK, 22% of Web security executives estimate the cost of Web-borne attacks at £25,000 to £99,999, 8% at £100,000 to £499,999 and 8% at £500,000 to £4 million. And sometimes, the loss of data can be so severe that a price cannot cover it. Some companies go under because of the loss. And yet, 44% of all businesses do not have web security protection or a solid data backup plan. And 53% of these businesses reported that they had experienced a compromised website.
How to prevent web attacks and data loss
Web attack prevention
The best way to deflect web attacks on a company network is to implement a secure web gateway solution that is effective in this new environment, as well as easy to deploy, quick to respond, and flexible as threats change. Due to BYOD programs and the ever-increasing numbers of remote workers, the web security solution should intercept traffic from both within and outside the network. BYOD protocols should be set firmly in place and employees should be informed of the correct protocols to follow and the consequences of failure to comply. Employees should also be taught to never click on links in emails, no matter how legitimate they appear. The website URL should be typed in manually or clicked on from a previously-saved bookmark, not from any outside source. This will prevent successful phishing attacks.
Data loss prevention
Having a solid web security solution will help prevent most attacks. But it is not fail-proof. Attacks can still get through. There may still be that employee who hasn’t had their coffee yet who inadvertently clicks on a link in an email. There may be an employee who has been recently disciplined or fired, but hasn’t had their access privileges revoked yet, who decides to access an account and delete data in revenge. No matter how secure a system is, there are always flaws that can be exploited. This is where cloudHQ come into play.
While cloudHQ doesn’t prevent the web attacks (that’s what your web security solution is for), cloudHQ prevents you from taking any loss of data once a web attacker has successfully breached an account. The way it works is- cloudHQ provides real-time synchronization and replication from one cloud account to another. This backup cloud account will not use the same authentication as any other company account. So if one of the main company cloud accounts is successfully breached, a complete secondary copy of your data is stored securely away on a completely separate cloud server. Restoration can be completed quickly and the company can continue to do business without interruption. This saves time and money as it doesn’t require any additional IT services to backup or restore the data, employees will have minimal downtime, and business will not be disrupted for any length of time.
CloudHQ has already saved many companies from countless instances of data loss, which could potentially cost the companies thousands, or even millions, of dollars. Sign up for the 15 day trial, and see for yourself how cloudHQ can save you time and money, and how it can protect your company assets from instances of data loss.
- It’s The Web Application Security, Stupid! (veracode.com)
- Tips for Secure Web Browsing: Cybersecurity 101 (veracode.com)
- Verizon Data Breach Investigative Report 2012 – Application Security Specific Highlights (veracode.com)
- Malcovery and Agari Create Strategic Partnership to Tackle Modern… (prweb.com)
- Web Security Market Update – Growth in WAFs (fortinet.com)
- Hacking tool analyses Twitter to make phishing emails more realistic (information-age.com)
- OpenDNS Integrates Predictive Detection Capabilities into Cloud-Delivered Web Security Platform (hispanicbusiness.com)
- Once more into the breach: How hackers compromise websites like Apple’s (macworld.com)
- Apple hack exploited with new phishing campaign (zdnet.com)
- Social Engineering Attacks: What You Need To Know To Defend Your Accounts (cloudhq.net)