Malware is becoming both more prevalent and more subtle, and the methods by which it is being distributed are evolving rapidly. Web sites are now the most popular attack vector and the objective is generally data theft, be that employee or customer data or intellectual property.
Legitimate sites are being used to distribute malicious code, snaring unwary visitors into downloading viruses and giving away information. We are also witnessing more and more attacks that use Facebook and Twitter as a vector.
However, many organisations act as though nothing has changed. Computing surveyed 150 business decision makers about their experience of web attacks. The survey also asked how organisations guard against phishing attacks and hacks of their corporate web site.
A massive 79 per cent reported that their systems have been infected with malware. 41 per cent reported phishing attacks with 32 per cent suffering other forms of "social engineering" or deceptive attacks, leading to malware infecting their networks.
The survey revealed that at least one in 10 business web sites has been compromised in some way. Imagine a high street in which one shop in 10 has been broken into, with the thieves stealing credit card details, names, addresses, dates of birth and so on and you start to appreciate the scale of the problem. For these firms their shop window has become an open door. A further 12 per cent did not know whether they had been compromised or not, or were not prepared to say.
So, how did these businesses discover their web site had been compromised?
Worryingly only a quarter reported that their IT security systems detected the breach before damage had been done. More common was the situation in which the web site had been obviously defaced. Often this defacement was reported by customers rather than staff – hardly a desirable situation.
Computing asked what systems respondents had in place to alert them in the event of a web site compromise
Some 34 per cent of respondents have their web site scanned regularly as part of the service provided by either the certificate authority (CA) or web security vendor. However, 35 per cent of respondents have no formal system in place and 27 per cent rely on scheduled penetration testing. Penetration testing will pick up compromises but it is usually performed quarterly or bi-annually. This means malware could lie undiscovered for months silently siphoning off corporate assets.
The survey illuminates a remarkable blind spot. While the threat of malicious code being spread by web sites was listed as the number one concern, very few of the respondents view their own web site as being at risk of becoming a vector – music to the ears of the malware writer.
To see the results and analysis of this exclusive research, download the report