A report just released by security startup, Menlo Security, found that one-third of the top one million websites have already been compromised with malware or are running outdated or unpatched software that is vulnerable.
The problem is two-fold:
1. Does your website contain vulnerabilities?
As the report notes, these website vulnerabilities are easily detectable by hackers. In fact, information about the software running on your website (e.g., web servers, content management systems, application frameworks) is readable by any standard browser and can easily be cross-referenced against publically available lists of known vulnerabilities. If you website software is out of date, you are a potential target. What can you do? Your technical and security teams should have formal processes for scanning your website for new vulnerabilities and making sure that all website software is promptly patched and updated. Simply running the most current version of the software can help eliminate many of the known threats.
If you find that your website has been compromised, have a prepared incident response plan that has been tested so that you can react quickly. Companies that are able to identify and response to security incidents in a quick and comprehensive manner are usually in a better position to minimize the damage to their brand reputation, reduce legal and regulatory expenses, and recover more quickly.
2. Are your employees able to go to websites that are infected?
It is not just your website that you have to worry about. During the course of their day, you employees are visiting many of these websites and could become infected. If infected, your employees could inadvertently open the door to your internal network so that your other users and systems could be compromised.
Blocking or limiting access to "unsafe" websites, such as pornography, gaming and other similar categories can help but, as identified in Menlo's report, many of the vulnerable websites are reputable business-oriented websites that your employees could legitimately need to access from work. Blocking and filtering website access can only be part of the solution.
To respond to the growing threats, many companies are deploying intrusion detection and real time malware scanning tools to help quickly detected infected computers and limit their ability to infect other computers on your network. This, in conjunction, with a comprehensive security program, security awareness training for all of your employees, and a tested incident response plan can help lower (but not eliminate) this security exposure.
A copy of the report is available on Menlo Security's website (registration required).
Christopher Avery is a privacy and data security attorney in Davis Wright's New York City office. He advises clients on U.S. and international privacy laws and regulations pertaining to consumer privacy, employee privacy, data security, and cybersecurity. Christopher regularly counsels companies on how to prepare for, respond to and recover from cybersecurity events.