Web-borne malware is likely to have infiltrated more than 75 percent of enterprises through inherently insecure browsers, according to a survey of 645 IT and IT security practitioners that was conducted by Ponemon and sponsored by Spikes Security.
The findings reveal the average cost to respond to and remediate just one security breach resulting from failed malware detection technology to be approximately $62,000 per breach.
A majority (69 percent) of IT and security professionals believe browser-borne malware is a more significant threat today than just 12 months ago, and is more serious than other types of malware infections.
"As the report indicates, these malware attacks cost organizations more than $3 million each during the last 12 months. And that's just to clean up the mess as a result of failed detection technology," Franklyn Jones, chief marketing officer with Spikes Security, told eWEEK. "The real cost—often immeasurable—is the damage to the reputation of the business and loss of customer trust."
Jones said when browser-borne malware escapes detection by all the usual layers of security products, it can operate in stealth mode—again completely undetectable—on end-user devices, communicating with external command centers for instructions to launch attacks on internal systems.
Organizations would allocate an average of 33 percent of their total security budget to stop Web-borne attacks by 50 percent, and to stop 100 percent of these attacks, they would allocate an average of 50 percent of the budget.
More than three-quarters (77 percent) of respondents said it is certain or very likely their organizations have been infected by Web-borne malware that was undetected.
According to just over half (51 percent) of respondents, they are not receiving the resources or budget they need to effectively detect and contain this threat, and 49 percent of respondents say defending against Web-borne malware is not a security priority.
As a result, the majority of respondents (52 percent) rated their ability to detect and contain Web-borne malware as very weak or weak.
The vast majority of those surveyed cited insecure Web browsers as a primary attack vector (81 percent strongly agree or agree), and even with existing security tools, Web-borne malware can be completely undetectable.
In addition, 65 percent of respondents said overcoming psychological dependence on traditional detection methods would be a main barrier to adopting a browser isolation technique that rendered traditional Web-borne malware detection and containment methods obsolete and unnecessary.
This was followed by concerns over diminished user productivity (50 percent), system performance issues (44 percent) or complexity and difficulty to operate (41 percent).
"As long as we continue to rely on detection technologies—which really represent a best-guess effort in identifying and stopping threats—cyber-criminals will continue to develop new malware delivery strategies by bypassing those controls," Jones said. "Remember, they only have to succeed once to win."