The Web Browser: Security Threat Number One

Do you use Firefox? Internet Explorer? Safari? Which one do you think is the safest?

Right now, Firefox is thought by many to be the most secure browser available (although a new report from Microsoft conveniently rates IE as the best bet -- CNET). And even the supposedly impregnable Macs seem to be vulnerable through the Safari browser (eWeek).

Bottom line, though: all of the web browsers are essentially vectors for malware if you happen to be browsing the wrong kind of website.

It used to be easy to know what that 'wrong' kind of website was. If you searched for porn or downloaded free software, you were asking for trouble (Of course, that’s still true today).  But now a non-profit charity or gardening website can be just as compromised. When you visit a site that has been hacked, your computer gets infected. Now your private and personal information is at risk and you could be infecting others…  and this easy sleazy process explains why one new infected web page is discovered every five seconds (Sophos).

I talked about how the humble web browser has emerged as the number one threat to web security at the 1st Annual Critical Infrastructure Protection Conference in Calgary earlier this month on the theme "Cyber Security for Energy and Communications".  This conference looked at understanding the threats and hazards that the industry faces and explored solutions. Some of the most senior IT security experts in North America were there, so it was very exciting to take part. Here are some of my key tips about web security that I presented:

1. Educate your workforce. You pay a software maintenance fee every year for upgrades and support for your anti-virus and firewall programs. But you also need to invest a corresponding amount in ongoing education for your staff. Train them in best practices for security. The human factor can be your greatest vulnerability... or your best defense.
2. Demand security from your business partners. If your suppliers, distributors or outside consultants don't have the same commitment to IT security that you do (or better), drop them. In an increasingly symbiotic business network, their security holes are your security holes. On the other hand, their security measures can help keep your organization safe. Requiring high standards helps protect your own business and the industry as a whole.
3. Make a business case for security within your company. Show your people how vulnerabilities can affect your business, and close them off. This can mean implementing technology solutions like firewalls and spam filters, or proactive  measures such as web vulnerability audits. It also could mean implementing policies about what websites employees can browse. This may sound harsh, or even unworkable at first; but weighed against the risk of your IT infrastructure getting hacked, your people will realize the business rationale.
If any of my loyal readers have a tip to add, the comments section awaits.