Month: March 2012

Address Web Security Vulnerabilities or Suffer the Consequences

Do you have a limited IT security budget? Have you been able to implement all of the IT security controls you need to keep your network secure? It is unlikely that you have addressed all web security vulnerabilities effectively, as the majority of small to medium-sized businesses simply cannot afford to implement highly sophisticated controls to keep their networks properly protected from cyberattacks. Even large businesses with huge revenues and obscene annual profits are not able to prevent all cyberattacks from occurring.

You may want to implement data loss prevention software, social media website management systems, complex multi-layered network security systems, and a wide range of anti-malware and anti-virus solutions, but cybersecurity budgets can only be stretched so far!

The trick is to become an expert in assessing risk. Conduct a through risk assessment, identify all security vulnerabilities, determine which pose the largest risk, and spend your budget accordingly to minimize risk as best as you can. Fortunately, a number of cost-effective solutions can be implemented that will reduce risk to an acceptable level. These can easily be implemented by small to medium-sized businesses. Unfortunately, doing nothing and hoping for the best is not an option. Hackers are not only targeting large corporations. They know that budgetary constraints make small to medium-sized businesses particularly vulnerable to attack.

Calculate the cost of not addressing web security vulnerabilities

Small business owners may be loathed to spend money on security solutions to protect their systems from attack and keep their data secure. Many choose not to bother, only to suffer a cyberattack. It’s only then that they find out the cost of not addressing web security vulnerabilities. That cost can be considerable, and all too often catastrophic. Many companies fold within six months of suffering a cyberattack.

What is the cost of a cyberattack? According to a study conducted by Osterman Research, the cost of not addressing web security vulnerabilities is considerable. Its researchers determined that the failure to take precautions against hackers would likely cost the average company approximately $278,000 over a period of four years.

Compare this to the cost of implementing a web filtering solution to prevent end users from falling for a phishing campaign, or accidentally downloading malware, and the price seems very low indeed. WebTitan will protect a company with 500 users from as little as $4,250. Some companies provide similar solutions that cost $108,000!

Osterman researchers took a provider that charged $27,000 per year for the service as an example. That may seem like a lot of capital to commit to one cybersecurity defense, but it is only $54 per user per year. Compare that to the likely cost of suffering cyberattacks over a 12-month period ($85 per user, per year) and the cost saving would be $14,000 per year. With WebTitan the cost saving would be $103,750 over a four-year period. That is a saving of over $25,000 per year.

The cost of implementing cybersecurity defenses may seem high, but it is important to bear in mind the cost of not implementing a solution to deal with web security vulnerabilities and the impact those costs would have on the business.

Sloppy IT Security Practices: Slow Patching of Software

You may have installed highly sophisticated and expensive cybersecurity defenses, but have you forgotten any of the basic security measures, such as enforcing strong passwords, conducting regular malware scans, and installing software patches promptly? Many companies invest heavily in IT security, yet still have sloppy IT security practices. A recent report by M86 suggests that system administrators are forgetting some very basic security measures.

Eradicate sloppy IT security practices

Tightening up network security controls should start with the eradication of sloppy IT security practices. Hackers like a nice easy entry point into a corporate network and unpatched software gives them that.

The M86 report revealed that one of the most commonly used exploits targets an ActiveX vulnerability that existed in early versions of Internet Explorer. Microsoft released a patch to correct the vulnerability in 2006. That’s six years ago. Hackers are still using that vulnerability to gain access to computers and networks. Some companies have not upgraded to the latest version of the browser. Others have not done so since 2006.

This is just one of a myriad of security flaws that have been discovered in computer software. Barely a day goes by without a new security vulnerability being discovered in common software used by businesses around the world. As soon as a vulnerability is discovered, exploits are developed to take advantage. Any company that does not install patches as soon as they are released will be leaving themselves extremely vulnerable to attack. Many exploits have been used for several months, and some for several years because software updates have not been installed.

PDF spam has been linked to a vulnerability discovered by Symantec in March 2010, Sophos discovered 14-month vulnerability was still being extensively used by hackers, and numerous other security companies have discovered similar exploits used on outdated software.

Don’t forget to implement basic security measures

There is no excuse for not upgrading regularly used software, but remember to also update older software that is still occasionally used. You may miss a patch, but a hacker is unlikely to.

There are other basic security measures that are still not being implemented. Take email spam for example. Many companies have yet to install an email spam filter to prevent spam and phishing emails from being delivered to employees’ inboxes.

Web filtering solutions are still not being used to prevent end users from visiting malicious websites or viewing pornography and gambling sites at work. Password controls are still not being used to prevent weak passwords from being set by end users.

Expensive anti-virus, anti-malware, and anti-spyware solutions may be implemented, yet definitions are not updated daily and network scans are not being scheduled.

Regardless of how large your security budget is and how good your cybersecurity protections are, if you forget some of the basics your network will remain extremely vulnerable to attack!

Have you gone back to basics and corrected sloppy IT security practices? You may be surprised to find out how many have been allowed to persist!