BYOD, evolving Web malware new threat vectors

update Consumerization of IT, and increase and improvement of Web malware are latest trends that will open doors to cybercriminals, user education needed for mitigation, market watcher states.
Written by Ellyne Phneah, Contributor

update SINGAPORE--The trend of employees accessing sensitive corporate information from their personal devices outside their office, along with evolving Web malware are the latest threat frontiers in the IT security landscape, a Sophos report reveals.

The study released Thursday found that the consumerization of IT, or Bring Your Own Device (BYOD), is becoming one of the newer causes of data vulnerability.

The poll was conducted online at the end of 2011, surveying more than 4,300 respondents about the biggest threats on the Internet today. Users were asked if their company allowed personal laptops, desktops or phones for work. Nearly half of them answered while another 10 percent of those who said their companies did not preferred that they did.

Employees are on the "everywhere network", accessing sensitive corporate information from their home computers or personal devices, the report stated, adding that corporate-issued mobile devices increased risk, along with the rise of cloud services and use of social media.

Consumerization of IT liberates individuals to share their information online "as and when they want", Rob Forsyth, Asia-Pacific managing director at Sophos told ZDNet Asia at a press briefing here Thursday.

With the power to use devices and share information online, they are at greater risk because cybercriminals can steal their personal and corporate data and use it in a variety of ways such as sell it to the Black Market, he warned.

He likened it to "inexperienced drivers" having driving licenses but already driving are at greater risk of "running into car accidents".

"Internet users today are like inexperienced drivers with driving licenses. They have a bigger risk of running into car accidents."
-- Rob Forsyth,
Asia-Pacific Managing Director, Sophos

Web threats evolving
It was also found that Web threats were evolving and cybercriminals constantly launched attacks designed to penetrate digital defenses and steal sensitive data. 67 percent of respondents felt that in 2011 Internet malware was on the rise, compared to 2010, according to the poll.

An average of 30,000 newly-infected Web pages were infected everyday and more than 80 percent were on "innocent" Web servers, which had been hacked by cybercriminals, according to Sophos. The report also cited research from the Ponemon Institute which found that 85 percent of all malware including viruses, worms, spyware, adware and Trojans come from the Web.

As cybercriminals continue to expand their focus and organizations adopt new technologies, they also face the challenge of keeping their security capabilities from backsliding, Forsyth noted in a statement. He warned that as organizations continue to access information through different ways including different devices at different locations, security tools must have the ability to secure all points--desktops, mobile and smart devices and the cloud.

Cybercriminals will continue to stalk the easiest prey--security basics like patching and password management will remain a significant challenge, he said.

Cybersecurity education needed
While some devices are safer than others in terms of technicalities, their user perception may different so no one device is more risky than the other, Forsyth pointed out at the briefing.

He cited that an Apple device may be relatively safer than a Window device, but the user of the Apple device may be less guarded against security threats compared to the Window user. As such, it "balances out".

"A user's security posture changes with his perception," he said, reiterating that people are the weakest link in security and that user education is very important.

With cyberthreats becoming increasingly sophisticated and users putting themselves at risk with devices, countries should start to consider implementing national cybersecurity education such as sending all students for a one-month compulsory course, he advised.

Just like laws in any country, once cybersecurity education is legislated, citizens will start practicing it and passing down best practices to future generations, Forsyth said.

Editorial standards