Computing research reveals businesses underestimate the threat of web-based attacks

By John Leonard
01 Jun 2011 View Comments
A hacker committing cyber crime on a laptop

Malware is becoming both more prevalent and more subtle, and the methods by which it is being distributed are evolving rapidly. Web sites are now the most popular attack vector and the objective is generally data theft, be that employee or customer data or intellectual property.

Legitimate sites are being used to distribute malicious code, snaring unwary visitors into downloading viruses and giving away information. We are also witnessing more and more attacks that use Facebook and Twitter as a vector.

Further reading

However, many organisations act as though nothing has changed. Computing surveyed 150 business decision makers about their experience of web attacks. The survey also asked how organisations guard against phishing attacks and hacks of their corporate web site.

A massive 79 per cent reported that their systems have been infected with malware. 41 per cent reported phishing attacks with 32 per cent suffering other forms of "social engineering" or deceptive attacks, leading to malware infecting their networks.

The survey revealed that at least one in 10 business web sites has been compromised in some way. Imagine a high street in which one shop in 10 has been broken into, with the thieves stealing credit card details, names, addresses, dates of birth and so on and you start to appreciate the scale of the problem. For these firms their shop window has become an open door. A further 12 per cent did not know whether they had been compromised or not, or were not prepared to say.

So, how did these businesses discover their web site had been compromised?

Worryingly only a quarter reported that their IT security systems detected the breach before damage had been done. More common was the situation in which the web site had been obviously defaced. Often this defacement was reported by customers rather than staff – hardly a desirable situation.

Computing asked what systems respondents had in place to alert them in the event of a web site compromise

Some 34 per cent of respondents have their web site scanned regularly as part of the service provided by either the certificate authority (CA) or web security vendor. However, 35 per cent of respondents have no formal system in place and 27 per cent rely on scheduled penetration testing. Penetration testing will pick up compromises but it is usually performed quarterly or bi-annually. This means malware could lie undiscovered for months silently siphoning off corporate assets.

The survey illuminates a remarkable blind spot. While the threat of malicious code being spread by web sites was listed as the number one concern, very few of the respondents view their own web site as being at risk of becoming a vector – music to the ears of the malware writer.

To see the results and analysis of this exclusive research, download the report

Reader comments
blog comments powered by Disqus
Newsletters
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

37 %
33 %
11 %
19 %