Results of Study on the State of Web 2.0 Security

The study found a noticeable discrepancy between the amount of concern over security threats, and how well prepared businesses actually are -- or even perceive themselves to be.

by / October 3, 2007

The results of a commissioned study were released today by Secure Computing Corporation. The study, conducted by Forrester, surveyed 153 IT professionals and security decision makers in companies with at least 1,000 employees, found -- among other things -- that while Web 2.0 usage is already prevalent in enterprises, organizations are not prepared to deal with the potential threats associated with the technology. The study further notes a lack of risk awareness, user training and consistent policies.

The study suggests that about half of the organizations surveyed spent more than 25 thousand dollars in the last fiscal year on malware remediation. It was therefore not surprising to learn that businesses are wary of Web 2.0 usage and associated threats. While 97 percent of all enterprise IT staff consider themselves "prepared," 79 percent have reported frequent attacks from malware. In addition, 79 percent of those surveyed are concerned about viruses, and 77 percent about Trojans, but only 12% were concerned about botnets even though bot networks have been growing rapidly as demonstrated by the recent estimate that the storm threat was propagated by over 1 million computers in a single botnet. These findings confirm that the majority of today's enterprises are still concerned -- to a considerable degree -- about Web 2.0 threats in their organizations.

Other significant findings include:

  • It costs organizations from $15 - 30 per user per year to recover from malware threats alone
  • 92 percent of the respondents indicate that outbound data leakage prevention is an important aspect of Web filtering and 58 percent consider data leakage an extremely important business concern
  • That said, only 33 percent of the respondents have data leakage prevention capabilities in place today

The study found a noticeable discrepancy between the amount of concern over security threats, and how well prepared businesses actually are -- or even perceive themselves to be.

While nearly 97 percent of those surveyed consider themselves prepared for Web-borne threats, a full 68 percent concede that there is room for improvement. However, it is important to note that when asked how often they experience malware attacks, a 79 percent reported more than infrequent occurrences of malware, with viruses and spyware being the leading issues.

According to the study "Today, the Internet is beleaguered with threats such as Phishing, viruses, Spyware, and botnets, all threatening to challenge your business operation. The need to keep inappropriate content at bay, reduce non-business bandwidth consumption, and limit exposure to Internet threats gave rise to the industry of Web filtering. The need for more effective Web protection has never been greater."

Recommendations Based on Study Findings:

Given the complexity of the current threat and technology environments, Forrester and Secure Computing recommend that organizations look beyond a simple filtering solution, and:

  • Employ next-generation Web filtering technologies, with enterprise- grade performance, scalability, and support for management. "Next- generation" capabilities include reputation services, blended threat protection and behavior-based detection. Additionally, outbound content control such as data leakage and application control is essential.
  • Re-examine the adequacy of security policies and protection capabilities. Report data shows that most organizations are confident that their protection policies and mechanisms are adequate, yet still face problems due to malware and data leakage. Organizations should re-evaluate policies and protection mechanisms in the face of the latest trends of Web- borne threats, especially those connected with Web 2.0 applications.
  • Improve user awareness and training on Web 2.0 and Web-borne threats. The first rule of thumb for improving security protection is considering people and process alongside with technologies. Organizations should implement systematic and comprehensive training to communicate the magnitude and extent of Web threats to users.