Faced with Web-borne threats, four out of five companies have adopted policies against downloading certain types of files and more than three-quarters have systems that actively block some downloads, a Black Diamond, Washington-based research firm is reporting.

 

Yet, officials at Osterman Research say, despite significant Web growth, nearly 40 percent of companies it surveyed in November have no simple URL filtering solutions in place.

 

“Many organizations have implemented tools to control the use of Web applications, including blocking or monitoring the use of Web applications at the firewall, use of a security Web gateway to monitor the use of Web applications without blocking their use and use of a secure Web gateway to prevent users from installing Web applications,” the firm says. “However, URL filters alone or policies to restrict use of Web applications cannot block applications that are streaming, leaving the network vulnerable to attacks from Web 2.0 objects.”

 

The firm’s survey of 139 organizations of about 1,000 workers apiece was commissioned by Atlanta-based Purewire, a Web security service.

 

Osterman found that the Web carries a number of quite serious risks and potential risks – and that organizations are “very concerned” about those risks.

 

About 46 percent of respondents say infections came from users visiting infected Web sites, 25 percent felt they came from e-mail, while 16 percent said they came from another source.

 

“A mean of 9 percent of organizations – one out of every 11 – had remote workers’ computers infected with malware, spyware or related problems during the previous 12 months,” the firm reports. “Seventy-six percent of organizations are concerned or very concerned that the Web is an entry point for malware.”

 

More and more companies are warning about the dangers of Web sites.

 

As TMCnet reported, a Santa Clara, California-based Web site security provider found recently that 82 percent of Web sites have had at least one security issue, with 63 percent still having issues of high, critical or urgent severity.

 

Officials at WhiteHat Security say in their “Web Site Security Statistics Report” – available for download here – that vulnerability time-to-fix metrics are slowly improving, but continue to show significant room for improvement, typically requiring weeks to months to achieve resolution.

 

According to Jeremiah Grossman, founder and chief technology officer at WhiteHat, Web security is a moving target.

 

“So, enterprises need timely information about the latest attack trends, how they can best defend their Web sites, and visibility into their vulnerability life-cycle,” Grossman said.  “We hope this report continues to be a beneficial tool for actionable information today’s enterprises can use to stay on top of evolving Web site security challenges.”

 

The report finds that only about 50 percent of the most prevalent urgent severity issues were resolved during the assessment time frame.

 

Here’s a chart from the report showing the likelihood of Web sites’ vulnerability, sorted by severity:

 

 

TMCnet’s own guest columnist, Kevin G. Coleman, a Certified Management Consultant and Strategic Advisor with the Technolytics Institute, wrote here recently about how the Internet has evolved as a weapon with the nation’s dependence on its technologies.

 

According to Coleman, the United States and the world is unprepared for the disruption that will occur if a substantial cyber attack is launched against the information infrastructure that powers the global economy.

 

“This is not just my opinion – it is the opinion of other high-profile experts in the military, intelligence and private sector,” Coleman writes. “Efforts to fortify the information infrastructure used by the general public and businesses around the world are minimal at best. In this tough economic environment, convincing businesses to invest in security measures to protect corporate computers and networks for something that really has not happened and they believe only ‘might’ happen is next to impossible.”

 

According to the Osterman-Purewire survey, about 49 percent of respondents said they are concerned or very concerned about enforcing Web usage and Web security policies for employees that work remotely, such as ensuring that they do not visit undesirable URLs or that they are not exposed to malware via the Web.

 

One breed of less costly protection solution is the Software-as-a-Service model, Osterman said. More than 70 percent of organizations are using SaaS (News - Alert)-based antivirus and antispam capabilities (although not for all users), 26 percent are using SaaS-based archiving solutions, and 26 percent are using SaaS-based Web security solutions, the firm said.

 

“Other Osterman Research surveys have confirmed the growth of the SaaS-based paradigm, particularly given challenging economic times in which decision makers will be evaluating less costly and more efficient methods managing key parts of their infrastructure,” the firm said.