Search engines and online shopping: the new security threats?
You have your IT security policy in place; you’ve blocked access to or otherwise protected yourself from the usual suspects like gambling, pharmaceutical and adult websites, so your network is safe, right? Findings from the 2013 Cisco Annual Security Report suggest otherwise.
One of the most striking results from the study reveals that the highest concentration of online security threats aren’t websites we’ve traditionally thought to be “dangerous”, such as gambling and adult websites. In fact, the Report found that the online destinations at the most risk of delivering malicious content are actually those we tend to visit every day at home and work, such as search engines, retail sites and social media sites. In the past, these online destinations haven’t been associated with many risks. For example, search engines were found to be 27 times more susceptible to threat than illegal downloads like pirated movies and music, and viewing online advertisements is 182 times more dangerous than visiting adult websites. Even online shopping is a risky behaviour, with sites 21 times more likely to deliver malicious content than illegal download sites.
Last month, I wrote a about the first chapter of the third annual Cisco Connected World Technology Report (CCWTR), which asked students and young workers aged 18-30 (‘Generation Y’) as well as IT professionals in 18 different countries about their online behaviours and device usage. It showed that, in addition to expecting large amounts of online freedom, privacy and device choice, Gen Y employees are adopting mobile lifestyles that are beginning to blur the lines between work and personal life. The second chapter of the Report, released last week, provides insight into how these lifestyles are presenting security challenges that businesses haven’t previously had to deal with.
A pervasive theme we’re seeing in this chapter is the “privacy tradeoff”. Despite the fact that 80% of Canadian Gen Y respondents do not trust websites with their personal information such as credit card numbers and contact details, they’re willing to take their chances if it means a better online experience. Since many are using corporate networks and company-issued devices, this increases the potential risk of having network security compromised.
So, what implications do the results have on the way you deal with business security, keep track of online behaviour and protect your networks? How do you implement new policies when 72% of Canadian Gen Y respondents do not think that employers have the right to monitor their online activities, even if they are using a company-issued device?
It’s clear that as technology and the workforce evolve, so do the types and amount of security threats we encounter. IT managers have to be aware of this and have several things to consider when implementing new security policies and educating employees about security threats. Given the findings of the Report, which show everyday websites such as search engines are susceptible to threat and likely to deliver malicious content, it may be time for IT managers to redefine exactly what constitutes a security threat or “unsafe” website. They also need to realize and understand the behaviours of the next generation workforce in regards to the way they use technology and expect certain freedoms, such as wanting to use their own device for work purposes or using company-issued devices for personal endeavours.
To this point, IT Managers need to leverage all the tools at their disposal to provide a comprehensive approach to mitigating these threats encountered on otherwise ‘safe’ sites. Tools like the Cisco Identity Services Engine (ISE) can help provide contextual security for personal and corporate devices and users accessing the organization’s network, whether via wireless, wired or VPN connection. Organizations can further help protect their users from malware on sites such as search engines by using a cloud offering called Cisco Web Security service or a premises-based Cisco Web Security Appliance. These work by scanning redirected user web traffic for malware and enforcing user-based policy powered by the Cisco Security Intelligence Operations (SIO). The Cisco SIO provides the most comprehensive real-time web security available by leveraging on the expertise of more than 500 researchers and engineers and analyzing data drawn from more than 1.6 million devices, 13 billion daily web requests on 150 million endpoints, and more than 35% of the world’s email traffic.
Increasing awareness of security concerns is a growing process that won’t happen overnight, but once IT managers learn more about emerging security threats and new workplace trends, they can begin to adjust policies accordingly and strike a balance between securing corporate networks and maintaining certain online freedoms and privacy.
What do you think of these findings? Let us know in the comments below, and stay tuned for my thoughts on the third chapter of the CCWTR.