IBM: Corporations Threaten Their Customers Even When They Try To Act Nice

So you think that if you buy something from a company they will love you for it and will try to make you their best friend for life to ensure continuous sales in the future? You are probably not entirely right as even if they actually love you they may have very unpleasant surprises for you – because of their own IT activities and your willingness to participate in such activities.

The results of IBM annual 2008 X-Force Trend and Risk report published today prove that corporations may now put their customers at risk – even without actually having anything bad on their minds. These risks are about corporations making their customers vulnerable to various cybercriminal threats by inviting them to use their corporate websites – for whatever purposes it may be. So if you use any online banking application or simply participate in a poll to help make your favorite shaving foam better you may face various threats even without realizing that.

But before you go and file a lawsuit about every company that you visited a website of in the last few months, you should also realize that it’s not actually about companies not willing to serve the best interests of their customers – instead, it’s about companies being unable to maintain their sites in a manner to keep them secure enough and protected against various attacks.

At the same time such legitimate business websites are a very attractive target for cybercriminals as they contain lots of appealing information (like real names, addresses and even credit card numbers) of multiple people and are trusted by their customers. So using a legitimate website as a launch pad for a malware distribution to steal personal data of people now sounds like something many criminals will want to do now. And while financial institutions remain the most appealing target for phishing attacks, they also pay more attention to preventing such attacks – while other companies may simply fail to realize the necessity of such a protection.

Another problem is that many companies are not educated enough about the challenges they are facing when moving some parts of their businesses online – and relying on some simple solutions and web applications that are so shiny and bright but are rarely secure enough to be used in the corporate world. So it is no wonder that trying to infect end-user machines with malware using various vulnerabilities in web applications – that are often in “beta” (not secure enough) or are customized according to a customer’s needs (without sufficient testing) – has been a very popular trend in 2008.

Our reliance on user-generated content can present additional security challenges as both spammers and cybercriminals can abuse sites providing everyone with a place and some visibility online – to do whatever we choose. And while free blogging platforms and citizen journalism platforms are obviously great in terms of giving everyone a voice and an opportunity to be heard without investing anything, lack of filtering results in users posting whatever they want to – be it a harmless image or sincere blog post or – on the other hand – a spam ad or an infected PDF document or Flash movie that will distribute malware to all visitors.

Basically the report demonstrates that the web 2.0 trends that we are so enthusiastic about most of the time should be assessed carefully before companies even try to use them for anything serious and security should be a key focus here. True, more and more customers learn to trust their favorite service providers and manufacturers enough to buy services and products from them online but that basically means such companies should be even more cautious about what they do with their websites and what web applications they integrate for their customers to use online.

The full report is available here (PDF file 4.58 MB)