Once considered a dirty word, no one today would doubt the importance of security. A decade ago, the world had a shock when the ILOVEYOU worm was unleashed by email, infecting an estimated 10% of computers worldwide. As such exploits became more common, organisations looked to implement controls for achieving email security and now the vast majority of organisations have such controls in place, at least in the form of anti-virus if not other protections.
Today, however, those controls are not sufficient. With hackers increasingly sophisticated and motivated by financial gain, it is harder to defend against them. The web is now the preferred vector of attack, generally in combination with another vector, such as email.
According to the Anti-Phishing Working Group, 95% of attacks rely on HTML, the predominant markup language for webpages, as a delivery mechanism. However, while more than 99% of organisations use anti-virus applications, just 60% are using web or URL filtering technologies to protect themselves against malware picked up on websites.
For any organisation, a web presence is vital as is email as a communications tool. To shield themselves from brand or reputation damage resulting from those systems being attacked, which could lead to sensitive information being stolen, organisations need to beef up their controls. But, as vital as those systems are, many organisations find that implementing the controls in-house and ensuring that the protection offered by the controls are constantly up to date regarding the latest threats is a daunting task. Organisations need to assess the risks that they face to ensure that the investments that they make in security suit the needs of their particular organisation.
For many organisations, from small, resource-strapped firms to large, geographically dispersed multinationals, a better option than implementing email and web security controls in-house may be to outsource the services to a cloud-based service provider.