Enterprise IT failure to defend against web-borne malware is a rapidly growing enterprise data security threat, new research has revealed, with more than 75% of enterprises having been infiltrated via inherently insecure browsers.
According to the Ponemon Institute report, there’s also a very real cost attached to the issue, apart from fraud-related costs and impact on valuation from data leakage. The findings reveal the average cost to respond to and remediate just one security breach resulting from failed malware detection technology to be approximately $62,000.
Ponemon estimates that such attacks and infections have cost survey respondents an average of $3.2 million.
All of the companies surveyed in the research deploy a multi-layer, defense-in-depth security architecture, the firm noted. But, these same organizations still experienced an average of 51 security breaches over the past 12 months, revealing a clear failure of detection-based security technologies in preventing browser-borne malware.
"The findings of this research reveal that current solutions are not stopping the growth of web-borne malware," said Larry Ponemon, chairman and founder of Ponemon Institute, in a statement. "Almost all IT practitioners in our study agree that their existing security tools are not capable of completely detecting web-borne malware, and the insecure web browser is a primary attack vector.”
The awareness is there: 69% of IT and security professionals surveyed believe browser-borne malware is a more significant threat today than just 12 months ago, and is more serious than other types of malware infections. And, 89% are certain or believe that their organization has been infected without detection.
Also, the vast majority of those surveyed cite insecure web browsers as a primary attack vector (81% strongly agree or agree), and three-quarters (74%) of those surveyed strongly agree or agree that traditional detection-based technologies are becoming ineffective in stopping these attacks. Additionally, only 31% of respondents strongly agree or agree that commercial browsers contain effective security tools for blocking web-borne malware.
"While the Web browser has become the most strategically important application on corporate desktops, it is also, unfortunately, the most vulnerable application in terms of being a delivery channel for malware leading to cyber-attacks," said Branden Spikes, CEO, CTO and founder at report sponsor Spikes Security. "What many organizations forget is that the browser is the only application that is permitted to download and execute code from a third-party location—any external website.”
Yet even so, most respondents believe web malware prevention remains a low priority. Ponemon noted that the average annual IT security budget is approximately $7.8 million, and 39% of the budget is spent on defense-and-depth security tools such as web gateways, IPS, anti-virus, which have proven to be ineffective. The survey found that organizations would allocate an average of 33% of their total security budget to stop web-borne attacks by 50%. To stop 100% of these attacks, they would allocate an average of 50% of the budget.
“Every time you allow unknown code into your network, you put yourself and your business at risk, Spikes said. “This is why browser isolation outside the network is so important. It is the only way to prevent this problem."