Webroot recently surveyed IT security personnel at 803 small to medium-sized businesses (SMBs) in the US, UK, and Australia and found that although their companies believed they were adequately protected against web-based threats, the number of successful attacks they faced told an entirely different story.
Nearly half of the companies surveyed (49.8%) were in the US, with 73% of those responding saying web-based threats are more significant than those coming via e-mail. A further 80% of companies believe malware delivered via Web 2.0 applications to be the biggest threat they face in 2010.
Although 8 of 10 companies acknowledged the web-based threats they face, almost three-quarters thought they had sufficient security safeguards in place. Nonetheless, 65% of the companies polled experienced a web-based attack over the past year, including spyware, viruses, hacking, and compromised websites.
What the data show, Webroot noted, is an apparent gap between perceived protection against web-based threats and the actual number of attacks these organizations face.
The report from Webroot, which outlined results of its online survey, said the company’s researchers have seen a “steady migration by the online underground”, as attacks continue to shift toward various web delivery methods.
Larger organizations, which tend to use more Web 2.0 applications in the workplace, suffered from more frequent web-based attacks according to the survey. Seventy-one percent of these larger companies (greater than 500 seats) experienced a web-based virus or worm attack, versus 59% for smaller companies, indicating a relationship between the use of web-based applications and increased exposure to threats.
Preventing web-based threats was achieved at a marginally better rate for companies that employed third-party security as a service (SaaS) tools. The Webroot survey showed that, depending on attack vector, companies that used web-based SaaS enjoyed anywhere from a 2–12% decrease in the number of attacks, with the biggest benefits coming in the areas of virus/worm, phishing, and site compromise prevention.