Mark Twain once quipped, “It’s not what you don’t know that gets you into trouble, it’s what you know for sure that just isn’t so.”
So too, in the world of web browsing, misconceptions abound. My objective in this article is to expose the common myths of safe web browsing.
Before I get to the heart of the matter, some relatively obvious questions come to mind:
Is safe web browsing possible? Can risky sites be avoided? Can a web browser be made into a safe web browser? Is there such a thing as a safe web browser? Can our end users eliminate frivolous web browsing during work hours?
Unfortunately, a yes answer to any of the above leaves our end users completely exposed — an all-too-common situation in today’s marketplace.
Although trying to solve the dilemma by building ever-increasing “walls” between our users and the Internet seems the simplest solution, this solution quickly becomes cost prohibitive and ultimately will not work.
What is the responsible thing to do?
As I look at the most common myths surrounding web browsing, I will offer some positive approaches to preventing loss of security resulting from mistaken perceptions.
Web browsing must be safe because we’ve been doing it for several years and we’ve never had an intrusion.
Lucky you! Seriously, this thinking hardly amounts to a real strategy. What’s worse you may be infected and not even know it. Many of the more formidable malware intrusions are specifically designed to stay hidden and steal personal and company information covertly. Although the task of staying up to date regarding current intrusions seems daunting, employing meaningful policies and up-to-date prevention technology can prevent security breaches.
Our users are responsible individuals who don’t spend their time searching inappropriate web pages and content.
Sorry, that is simply not true. A 2011 research report by Gartner shows that at least 40% of U.S. business bandwidth is used for nonbusiness and inappropriate activities on a daily basis. On average, this amounts to between one to two hours per worker per day. What makes matters worse is the potential for legal damage to the organization brought on by the inadvertent actions of the unsuspecting surfer. Again, regular policy and standards reviews are necessary. These reviews in and of themselves won’t eliminate a breach, but they are a positive and necessary part of ensuring system’s safety.
Our organization has clear and strict policies in place that prevent inappropriate internet usage.
As naive as this statement appears, a surprising number of organizations rely on such thinking to protect their assets. As obvious as the real solution may seem, these organizations consistently fail to incorporate the necessary technology to safeguard their data environments. Keep the standards and policies in place and be sure to back them up with solid “watch dog” technology.
Only porn, gambling, and other illicit sites are dangerous, and we always prevent our people from going to those.
Recently, Symantec released information indicating that 83% of those sites containing malware were hijacked trusted sites. It turns out that the sites we trust the most tend to be the most infected. Only regularly updated technology that tracks site blacklisting can adequately protect against damage from visits to these sites.
A user must download files or run an executable to get the PC infected.
This was true in the early days of malware development, over 10 years ago! In the modern world of hacking and intrusion, most infections are done automatically. Though this is unfortunate, to be aware is to be forewarned. Fortunately, ALL the top-ranked products for PC client protection do a thorough job of protecting against automatic infections. But, these products must be kept running and up to date.
Our users browse with Firefox, and it is safer than Internet Explorer.
Although this is a common belief, it is statistically inaccurate. All the most dangerous intrusions and infections are directed at components that are used by all browsers. Also, in the most recent review of browsers in use today, Firefox is the least secure browser. The solution here is obvious: do not depend on the selection of a browser or on a particular browser alone for protection!
Only naive users get their PCs infected.
Nothing could be further from the truth. Malware known as drive-by downloads can infect any unprotected PC automatically, without any action by the end user, no matter how computer literate that end user may be. A well-crafted phishing attack can lead to an infected machine simply with a visit to a bogus site. As attackers and their attacks become more sophisticated, so too must we and the products we use to fend them off.
When the padlock appears in the status bar the site you are visiting is safe.
Wrong answer! The padlock is a reference to the security of the transactions to and from the website not the malware free status of the site. Drive-by downloads from an infected site can still deliver infections. It should appear obvious by now that part of the job of maintaining safe, intrusion-free environments depends on anticipating the beliefs and actions of end users, especially when those actions are based on erroneous beliefs or out-of-date information.
Fortunately for us, the security solutions industry has kept pace with modern attackers. There are a number of solid end point and client-based products — both hardware and software — that do a comprehensive and competent job of protecting against intrusion and infection.
However, as Tony Robbins reminds us, “knowledge is only power when we act.”
Begin today, and take the necessary steps to ensure a safe and secure browsing environment for all your users.