Spending More on Breach Prevention Isn't Fixing the Problem

Three-quarters (75%) of respondents in a recent survey said that breach prevention and detection is more difficult today compared to two years ago—despite heightened awareness and spending.

A survey from Enterprise Strategy Group found that of those respondents, 59% report that malware has grown more sophisticated over the last two years, and is presenting fresh challenges, despite the fact that 87% of all organizations surveyed have increased endpoint protection spending in the same time period. 

The survey also found that browser-based security breaches in particular had a number of costly ramifications. For example, 81% of organizations that experienced a security breach within the past 24 months related to an attack that was introduced into the network via an endpoint browser, say that the time required to remediate these security breaches was “very significant” or  “significant;” 72% state that security breaches led to “very significant” or  “significant” regulatory fines; and 38%  report that browser-based security breaches led to a “very significant” public relations impact.

The impact of breaches associated with commonly-used web browsers is also compounded by ineffective policies that put too much freedom and control in the hands of end users. A full 84% of organizations commonly allow multiple browsers to be deployed on endpoints, which are primary vectors for targeted cyber-attacks. 

IT departments do try to minimize the risks of these attacks: 85% report that their departments work to keep browsers and patches updated, and 84% monitor browser configurations for vulnerabilities. Unsurprisingly, 82% of respondents are also concerned about files containing malicious content downloaded via browsers.

“One key finding here is that there appears to be too much time and effort focused on securing a product that is inherently insecure—the browser,” notes Jon Oltsik, senior principal analyst with the Enterprise Strategy Group. “Despite efforts to stay on top of patches and updates—and spending more on endpoint security products that should detect malware—it is obvious that IT organizations are becoming frustrated in their attempts to stay ahead of cybercriminals.”

Enterprise IT is open to a new approach however. An overwhelming 92% of IT and information security professionals surveyed would characterize their organization as being “very aggressive” or “somewhat aggressive” in terms of their willingness to test and adopt new types of cybersecurity technologies, and 90% of respondents are familiar with next-generation technologies that isolate web sessions—and malware—outside the network. They indicated strong interest in testing and deploying solutions that can prevent browser-based attacks.

“The common web browser is a malware distribution system for advanced persistent threats,” said Branden Spikes, CEO, CTO and founder, Spikes Security, which commissioned the study. “It’s simultaneously the most ubiquitous and strategically important application in the enterprise, so naturally it has become the focus for hackers.  Every click can potentially place the network and the organization at risk.”

What’s Hot on Infosecurity Magazine?