Risky Business: Unsafe Web Browsing

The sad fact of web browsing is that dangers lurk around every virtual corner. From imposter websites to bogus pop-up windows to malware-laden ads and downloads, browsing sessions can be hazardous to your business.

Even with browser security and anti-virus software becoming more sophisticated, web-borne incidents continue to trouble organizations and individuals alike. A February 2015 research report by the Ponemon Institute, The Challenge of Preventing Browser-Borne Malware, presents the findings of a survey of 645 IT and IT security practitioners about their efforts to detect and contain malware. Here are some key findings about these growing insider threats:

• In the 12 months prior to the Ponemon survey, respondents experienced an average of 51 security breaches because of failures with malware detection technology.
• The average response and remediation costs associated with just one of these breaches was approximately $62,000. That puts the cost of 51 breaches at more than $3 million.
• The vast majority (69%) of respondents said browser-borne malware was a more significant threat than it was a year prior to the survey.
• On average, 55% of the total malware infections were the result of a user’s insecure browser.
• Only 31% of respondents agreed that common commercial browsers — Chrome, Internet Explorer, Safari, etc. — contain effective tools for blocking web-borne malware.

Three Better Browsing Behaviors to Share With Your Employees

Operator error is the source of many cyber security risks in the workplace and beyond. At Wombat, we strongly believe that increasing awareness and teaching employees how to recognize and change poor behaviors is essential to reducing risk. Here are three pieces of advice we discuss in our Safer Web Browsing interactive training module:

• Get to know your browser’s security features – Automatic browser updates are likely to be used by most (if not all) IT departments, and this is a great way to ensure that users’ browsers always reflect the latest security patches and bug fixes. It’s also critical that work and personal browsers be set to use the most advanced security settings, which doesn’t happen by default. Different browsers offer different safeguards, and it’s a good idea for users to understand how their browsers implement security features. (An important side note from a policy perspective: If your IT group defines security settings, employees must be instructed not to make changes or enable/disable non-sanctioned functionality. Convenience features like auto-complete and password storage can make logins quick and easy but can considerably weaken security on individual devices.)
• Avoid unsolicited pop-up windows – Most browsers effectively block dangerous pop-up windows, but they aren’t foolproof. Prompts to download special plug-ins, random ads, and warnings of viruses must be treated with extreme caution — even if these items appear on trusted sites. The safest rule of thumb is not to interact with these windows; if possible, they should be closed from the task tray, by using the “Esc” button, or via some other option that does not require the user to click any buttons within the pop-up, including the X to close. Should the X be the only option, users should stay alert to any triggers within their browser that follow the click (e.g., being routed to a new website or being asked to install a new application).
• Never download pirated content – There are a plethora of sites that distribute pirated content. Not only are these downloads illegal, they are extremely dangerous. Hackers know how tempting these files are; unsuspecting users are all too happy to nab free downloads of unreleased movies, music, and premium software titles that would normally cost a fee to access. Unfortunately, these files often have malware along for the ride. The bottom line is that pirated content is never safe to use.

Did you miss the first installment in our Risky Business series? Check out our advice about social engineering now.