The most likely avenue for a malware attack, and cause for successful malware attacks, is lack of user knowledge about cyber-security risks, according to a survey of 315 North American-based IT security professionals working at enterprise-class organizations (1,000 employees or more) sponsored by Malwarebytes and conducted by Enterprise Strategy Group (ESG).
The study also revealed that enterprise organizations are seeing an increase in more sophisticated malware and are making it a strategic priority to add new layers of endpoint security to protect their organizations against advanced zero-day and polymorphic threats commonly used for targeted attacks.
"As cyber-attacks become more sophisticated, IT security professionals are realizing that relying on only one layer of endpoint security isn't enough. Each endpoint needs multiple layers of malware detection to ensure complete protection," Marcin Kleczynski, CEO of Malwarebytes, said in a statement. "The reality is, most antivirus products will miss nine out of 10 zero-day malware threats, and having a layered approach blocks advanced threats that traditional antivirus scanners may fail to detect."
The ESG report found the majority of respondents have seen an uptick in more sophisticated and targeted malware attacks over the last 24 months. However, 62 percent of organizations surveyed said endpoint security software is not effective for detecting zero-day and/or polymorphic malware, which leaves them vulnerable to these attacks.
Likely avenues for malware to compromise an organization’s system included employees opening an infected e-mail attachment and unwittingly clicking on an infected URL while surfing the Web. Survey respondents indicated an employee clicking on an infected URL posted within an e-mail was the most likely vector for malware to infiltrate their organizations.
On average, it took 57 percent of respondents hours to detect that an IT asset had been compromised by malware. It took 19 percent of organizations several days to determine there had been an attack, and 29 percent of respondent organizations that have suffered a successful malware attack believe the increasing use of social networks is responsible for those attacks.
In addition, two-thirds of U.S.-based respondents do not believe the U.S. federal government is doing enough to help the private sector cope with the current cyber-security and threat landscape, and 85 percent of IT security professionals expressed concern about some type of massive cyber-attack that could impact critical infrastructure, the economy and/or national security.
"When it comes to managing malware risk, enterprises would be best served by implementing a layered approach using proactive and reactive lines of defense through their networks. Antivirus software plays a key role in protecting organizations, but it should not be the only method used to deter malware attacks," Jon Oltsik, senior principal analyst at ESG, said in a statement. "Additionally, sometimes the biggest vulnerability in an organization is the computer users. Because employee actions can greatly impact computer security, educating employees on potential threats and how to avoid them should be made a priority."