Irrespective of workplace, chances are there are cyber criminals lying in wait to hoover up both individual and corporate credentials, whether it is through phishing or malware deposited on corporate assets by the simple act of browsing.
OK, you don’t let corporate users browse those kinds of sites. But do you let them browse the BBC? Newsweek? The New York Times? How about MSN? All were recently victims of malvertising, where bad guys use top-tier sites to distribute malware-laden online ads through online advertising companies.
Worryingly, a mere 25 per cent of real-world malware is caught by anti-viruses, according to the Five Habits of Highly Successful Malware. And, although employee security awareness sessions can have an impact, a recent study shows that 50 per cent of victims still can’t resist opening questionable e-mails and clicking on the link within an hour.
Then there’s the ongoing headache of employees in the workplace accessing their financial institutions online, where phishing and malware are rampant.
Research from IDC indicates 30 to 40 per cent of workplace internet access is spent on non-work related activities. This may be why our F5 Security Operations Center (SOC), which has experts monitoring and analysing real-time threats 24/7, observed that phishing attempts were significantly higher during the week than at the weekend. Monday, in particular, seems a very popular day to go phishing.
Other challenges to contend with include employees accessing corporate assets through an SSL VPN (secure sockets layer virtual private network) or other “protected” portals from outside the corporate walls. The malware that’s sitting in their browser right now doesn’t really care whether it’s grabbing corporate or consumer-related credentials. They’re all worth something to the attacker and, as long as they went to all the effort to infect that device in the first place, why not grab everything on offer?
There are tools that address the threats from phishing and malware – a lot of them
The reality is that nobody can rest easy; it’s a short step from cyber-security ignorance to having your name in headlines for the wrong reasons and reputation in tatters. You also have to consider the potential of social media-fuelled noise that can quickly turn pristine brands into mocking memes.
Taking your eye off the ball can come at an eye-watering price. In addition to the reputational hits and their consequences, heavy costs and resources are needed to root out every instance of malware and backdoors, even after a single successful phishing expedition. For example, desktops need to be wiped and reinstalled to eliminate those that got in from drive-by downloads or malvertising. The clean-up process is uncomfortable, whichever way you slice it.
The good news is there are tools that address the threats from phishing and malware – a lot of them. The thing is they are generally categorised as “anti-fraud”, and mentioned in the context of finance and banking and other money-based industries. But these solutions aren’t peculiar to finance and banking. There’s nothing magical about the way those industries interact with customers that makes anti-fraud only applicable to protecting them.
By adopting the correct solutions, any industry can combat web fraud and the web apps and technologies that trick, deceive and coerce individuals into giving up their credentials.
What the best web fraud solutions do is actively to seek out and prevent the theft of credentials that ultimately assist attackers in breaching security. Whether the attackers are after cash or data is irrelevant. Once they’re collecting credentials, they’re collecting any credentials. And that should be a concern for business in any industry.