Achieving comprehensive web security within the organization is not a trivial task. This is especially so for businesses with limited IT budgets, limited manpower, and other practical limitations. Having a good web security setup in place is a challenging feat by itself – besides all the other challenges that an IT administrator for a SMB (small and medium businesses) has to face on a daily basis. Here are the 10 main steps you need to take to achieve effective web security:
Step 1: Security at the perimeter
Rather than depending only on protection at the client-side web security should be handled at the edge/perimeter of the network (just like with your firewall). In this manner you are actually preventing anything malicious from reaching the endpoint – problems are tackled where any risk can be mitigated by keeping it segregated from the internal work.
Step 2: Antivirus protection
One of the first steps to achieving web security is scanning of user downloads. The biggest security threat posed by browsing users is when infected files are downloaded to the network. So scan all downloads at the perimeter.
Step 3: Multiple antivirus engines
The principle of multiple layers applies to antivirus scanning. Rather than virus scanning using a single antivirus engine, a multiple engine approach is ideal. This is because any single engine can never realistically cover all threats so with multiple engines you can ensure greater coverage.This is not feasible at the endpoint for performance reasons but all downloads should be scanned at the perimeter by multiple different anti-virus engines.
Step 4: Download prevention
Most users do not need to download and/or install files from the Internet. Allowing them access to download high risk files is an implicit security threat. Thus, as a proactive approach to web security, the IT administrator should actually implement policies which stop users from downloading these specific high risk file types.
Step 5: Blocking websites by content categories
Using a web categorization database it is important to block high risk websites and prevent access to potential threats posed by your users’ web usage.
Step 6: Blocking known malicious websites
A proactive approach to security would be to automatically block malicious websites – this ensures that users are stopped from accessing such websites in the first place rather than reacting to the malicious content (i.e. hoping the antivirus solution can detect the strain). This proactive approach nulls any risk that the specific website might present.
Step 7: Blocking phishing websites
The costs of a successful phishing attack can be very high – with either direct financial loss (bank or credit card details), or data leakage (confidential information) which would have very large indirect costs. The implementation of an anti-phishing engine is therefore essential.
Step 8: IM blocking
Allowing the uncontrolled use of IM (Instant Messaging) clients means introducing significant risk to the organization – and thus policies should be in place to ensure IM is only used if necessary and for reasons clearly outlined by a policy for IM use.
Step 9: Blocking via Web Reputation
Despite the implementation of the above mechanisms, most of the above features rely on detection of an existing threat. Web Reputation is a prediction of the threat that a particular website might pose in the near future. The concept of reputation is that of analyzing a website to determine whether a specific site poses a potential security risk; if that would be the case, then it can be blocked before it actually becomes a threat.
Step 10: Education
Although systems can help mitigate risks, no security system is 100% safe and the responsibility of web security remains with the end user.
Educating users is paramount. The biggest risk to the organization or network is always the end user, so your strongest defense point is to educate them. Unless they understand that they need to be constantly wary when using the Internet, then they will always be a weak point. Users must have a basic understanding of the different types and methods of attack they could be exposed to whilst browsing. They need to learn to treat every link with suspicion, and be responsible for their actions rather than assuming it is solely the responsibility of the software and IT team to protect them. Tech-savvy users might also try to find ways to circumvent your web security measures, if they don’t realize that their actions could cause irreparable damage to the network and the organization.
Ultimately this is probably the toughest challenge; however the highest level of web security would have been reached if that hurdle is overcome.
With these ten steps in place, and using a web security solution that provides protection against all the above mentioned security risks at a low cost, your network can benefit from effective web security.
The top five web security traps
Now that you know what the steps are to gaining effective web security, watch our quick video which outlines five very good reasons to get down to it. It only takes one malicious link, infected download or data breach to compromise the security of your business. To help you get started, here’s some advice for you to share with your network users on five common online security traps.