In New ESG Study, IT Professionals Cite Escalating Security Vulnerabilities and Operational Issues; Say Securing the Browser is an Administrative Nightmare
Spikes Security [1], the isolation security company, today announced findings of a new survey of IT and information security professionals, commissioned by Spikes Security and conducted by The Enterprise Strategy Group, Inc. (ESG) to assess cybersecurity risks related to web browsers, and organizational strategies to address them. “The State of Browser Security” examines the cybersecurity risks and the impact of breaches associated with commonly-used web browsers, which are compounded by ineffective policies that put too much freedom and control in the hands of end users.
The study surveyed 200 IT and information security professionals responsible for/familiar with their organization’s security requirements for browsers deployed on endpoint devices. All respondents were either employed with midmarket companies (defined as organizations with 100 to 999 employees, 31 percent of respondents) or enterprise organizations (defined as organizations with 1,000+ employees, 69 percent).
Seventy-five percent of respondents stated that breach prevention and detection is more difficult today compared to two years ago. Of those respondents, fifty-nine percent report that malware has grown more sophisticated over the last two years, despite the fact that 87 percent of all organizations surveyed have increased endpoint protection spending in the last two years. The problem is further complicated by the fact that 84 percent of organizations commonly allow multiple browsers to be deployed on endpoints, which are primary vectors for targeted cyber attacks. IT departments try to minimize the risks of these attacks: 85 percent report that their departments work to keep browsers and patches updated, and 84 percent monitor browser configurations for vulnerabilities. Unsurprisingly, 82 percent of respondents are also concerned about files containing malicious content downloaded via browsers.
“One key finding here is that there appears to be too much time and effort focused on securing a product that is inherently insecure – the browser,” notes Jon Oltsik, senior principal analyst with the Enterprise Strategy Group, Inc. “Despite efforts to stay on top of patches and updates – and spending more on endpoint security products that should detect malware – it is obvious that IT organizations are becoming frustrated in their attempts to stay ahead of cyber criminals.”
OPEN TO A NEW APPROACH: An overwhelming 92 percent of IT and information security professionals surveyed would characterize their organization as being “very aggressive” or “somewhat aggressive” in terms of their willingness to test and adopt new types of cybersecurity technologies, and 90 percent of respondents are familiar with next-generation technologies that isolate web sessions – and malware – outside the network. They indicated strong interest in testing and deploying solutions that can prevent browser-based attacks.
“The common web browser is a malware distribution system for advanced persistent threats,” said Branden Spikes, CEO, CTO, and Founder, Spikes Security. “It’s simultaneously the most ubiquitous and strategically important application in the enterprise, so naturally it has become the focus for hackers. Every click can potentially place the network and the organization at risk.”
OTHER KEY FINDINGS:
- CONSEQUENCES OF ORGANIZATIONAL SECURITY BREACHES: Browser-based security breaches had a number of costly ramifications. For example, 81 percent of organizations that experienced a security breach within the past 24 months related to an attack that was introduced into the network via an endpoint browser, say that the time required to remediate these security breaches was “very significant” or “significant,” 72 percent state that security breaches led to “very significant” or “significant” regulatory fines, and 38 percent report that browser-based security breaches led to a “very significant” public relations impact.
- IT DEPARTMENTS STRUGGLE TO MAINTAIN SECURITY: Although browser security and management was a priority, ESG’s findings revealed that a majority of organizations are not keeping up with many critical security maintenance activities. While this is certainly understandable given the large population of endpoint devices with multiple browsers, security operations lapses leave organizations open to attack. Of particular concern are statements such as:
- 57 percent of IT and information security professionals agree that: “_It’s impossible to control user browsing behavior, despite our attempts to enforce policies_.”
- 54 percent of IT and information security professionals agree that: “_We have so many endpoint devices, it’s too expensive and time-consuming to ensure they are all properly protected.”_
- 54 percent of IT and information security professionals confirm: “_We get so many alerts of possible endpoint security threats and breaches, it’s impossible to keep up with all of them.”_
Complete findings and analysis of the research will be presented by ESG analyst, Jon Oltsik, in a live webcast on Wednesday, May 20 at 10am PDT. To register, click here.
About Enterprise Strategy Group (ESG)
Enterprise Strategy Group (ESG) is an integrated IT research, analysis, and strategy firm that is world-renowned for providing actionable insight and intelligence to the global IT community. Recognized for its unique blend of capabilities—including market research, hands-on technical product and economic validation, and expert consulting methodologies—ESG is relied upon by IT professionals, technology vendors, investors, and the media to clarify the complex.For more information visit here www.esg-global.com
About Spikes Security
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.