The enterprise malware problem is largely an enterprise browser insecurity problem, according to a report out today by the Ponemon Institute. The study showed that on average, a user's insecure web browser caused 55 percent of malware infections in the past year and that almost all respondents believe their existing security tools aren't capable of completely detecting web-borne malware.
“The findings of this research reveal that current solutions are not stopping the growth of web-borne malware,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “Almost all IT practitioners in our study agree that their existing security tools are not capable of completely detecting web-borne malware and the insecure web browser is a primary attack vector."
According to a quarter of the enterprise surveyed in the report said 76 to 100 percent of malware infections were caused by insecure web browsers and 69 percent of IT and security professionals believe that browser-borne malware is a more significant threat than a year ago. This puts them in a difficult position, as many security solutions designed to address the problem are still letting malware through.
Approximately half of organizations say that web-borne malware was able to bypass their layered firewall defense and even 38 percent reported that sandboxing and content analysis engines still let web-borne malware through.
However, many organizations face an uphill struggle in isolating risks at the browser level. At the fundamental level, there's simply the issue of inertia. Approximately 65 percent of IT pros reported that overcoming psychological dependency upon traditional detection methods keeps them entrenched in the old mode of protection.
To some degree, many enterprises are still largely dependent on the progress that the major browser security vendors have been making within their products. According to Secunia, in 2014 there was a 19 percent decrease in the number of vulnerabilities discovered in Google Chrome, Mozilla Firefox, Internet Explorer, Opera, and Safari. For its part, Google announced last week that it has been able to more effectively harden Chrome through its bug bounty program. In 2014 it paid $1.5 million to researchers and rewarded them for finding more than 500 bugs across all of its portfolio. According to Google, in its first update to Chrome this year, 26 of the 62 flaws it fixed in the browser were found through external researchers, whom Google paid over $88,000 for the help.