Companies are now more likely to pick up malicious software via employee web surfing than from the more notorious email attachment, according to a study released on Wednesday by IDC Denmark.
Nearly 40 percent of the 200 Danish companies surveyed said they'd been infected by a virus or worm, despite the fact 75 percent had implemented a security policy, IDC said. But the malware in question is no longer primarily making its way through email, as in the past.
Per Andersen, IDC Denmark's managing director, said it's a common misconception that email constitutes the biggest security threat from the internet - adding in a statement: "the survey shows that up to 30 percent of companies with 500 or more staff have been infected as a result of internet surfing, while only 20 to 25 percent of the same companies experienced viruses and worms from emails".
The risk of infection is about five times greater for companies that allow internet usage by staff to go on unhindered and unmonitored, Andersen said.
The problem doesn't go away for companies that ban private internet use, because often such policies aren't enforced, IDC found: about 30 percent of management at such companies said staff accessed the internet for personal use during working hours.
IDC believes banning personal web use isn't realistic, particularly as a long-term solution. Instead, the company recommends closer monitoring of staff internet use, using tools that give management an overview of time spent and behaviour patterns online.
Andersen said: "It can certainly be done in such a way that it does not constitute outright monitoring of the actions of every member of staff."
Attacks can come from relatively innocuous online sources, according to Andersen. He cited the case of a poker website that placed a Trojan horse on users' PCs when they downloaded the site's help program.
Matthew Broersma reported for ZDNet UK from London
Mandate Mozilla Firefox as corporate browser.
Ban IE (via proxy or whatever) from accessing external websites other than a small whitelist of safe IE-only sites (like Microsoft website for updates etc).
IE can still be used for internal use if they want. Like internal solutions using Active-X controls.
Seriously our company (mid-sized Sydney CBD based) did this about a year ago and it basically irradicated 95% of issues (relating to popups, IE bugs and activeX installs) over night.
All MS's updates may have made IE more secure, but nothing beats not supportin ActiveX at all :)
Of course this goes hand in hand with the usual firewall arsenal.