Digital analytics is the core of businesses today. What one says is just an opinion if not backed by concrete data. Isn’t it the same with web application security too? Every security professional needs some substantial figures behind the belief that app sec is going to be the most crucial vector for public-facing websites. Here are some key stats that your company should not be missing.
1. 30,000 websites are hacked daily, which means that around 10 million sites are hacked in a year.
2. 32,323 public Indian websites were hacked in 2014 with 14% Y-o-Y increase.
3. 155.GOV and.NIC domains were hacked last year.
4. 1,000,000,000 (a billion) personal records were stolen globally last year.
5. Around 75% of the data breaches happen at the application layer.
6. According to CIOs, financial loss, reputations damaged, and disruption of the business are key damages that they faced immediately after the breach.
7. Illicit financial gains are the motive behind 58% of the cyber-attacks.
8. Sensitive data is also alluring hackers. Major Indian song portals and taxi-for-hire websites were hacked for credit card and user information.
9. Last year, it was reported that 90% of mobile banking applications were vulnerable to attack.
Key takeaways: Unless companies operate their business in a vacuum, they cannot overlook the risk of hacking. This risk is real and getting graver with more money being pumped into the online economy. Information Technology research giant Gartner has already predicted that increasing adoption of cloud and mobile will drive the security market, which is estimated to $76.9 billion by this year and $170 billion by 2020.
10. 156 million phishing emails are sent every day. The figure crosses 56 billion in a year.
11. 16 million emails manage to pass the spam filters successfully every day.
12. Around 800, 000 links in these spam emails are clicked on a daily basis.
13. Phishing causes companies an estimated loss of $28.1 billion.
14. There is an acute lack of awareness of phishing attacks in employees across the world. Such an attack are even more dangerous when employees are using their official user rights in the network.
15. Advanced phishing attacks also use social engineering to extract user information through social networking.
16. One phishing attack is carried out every minute.
17. Is it easy to identify phishing emails? The survey shows that 97% of the internet population cannot differentiate a sophisticated phishing mail.
Key takeaways: Modern phishing is not just a risk for customers and users but also businesses at large. Phishing is increasingly being used to launch sophisticated Cross-Site Scripting attacks to steal sensitive information.
18. SQL Injection was discovered 15 years ago but it is still the most dangerous vulnerability. It even tops the OWASP Top 10 list.
19. Around 97% of all the data breaches across the world happen due to SQL Injection.
20. Cross-Site Scripting, on the other hand, is the easiest way to compromise sites.
21. 91% of the websites detected with ‘Critical’ vulnerabilities tested by Indusface Web Application Scanning had SQL Injection vulnerability.
Key takeaways: OWASP vulnerability detection and protection is the first step toward securing web and mobile applications. It is unfortunate that even some of the major online brand names overlook app security and compliance.
22. Malware exists in computers of around 40% of computer users.
23. There are more than 400, 000, 000 types of malware today.
24. 80, 000, 000 types of malware have been identified recently.
25. Malware is the top reasons behind sites getting blacklisted by search engines and site index portals.
26. 97% of all types of mobile malware affects Android devices solely.
Key takeaways: Malware like a virus, worms, adware, and Trojan horses affects web and mobile applications at large. Data breach, blacklisting, DDoS, and loss of business reputation are some of the severe security risks that companies face if malware is not prevented. Regular scanning for malware detection is critical.
27. DDoS attacks cost banks up to $100, 000 per hour.
28. 20% of such attacks last for days and even months.
29. A lot of attackers also use DDoS as a diversion for other kinds of application attacks.
30. 87% of the attacked companies were hit more than once.
31. Attacks within the bandwidth of 1-5 GB have increased by 150%.
32. Competitors launch DDoS attacks to disrupt business on high sale volume days.
33. Companies need around 10 employees to mitigate DDoS.
34. It is impossible to detect and prevent all types of DDoS attacks unless traffic to the application is monitored continuously.
35. The estimated cost of a successful DDoS attack for a company is anywhere between $5,000 and $19,999 an hour.
Key takeaways: With intrusion prevention systems and network firewalls failing to detect application distributed denial of services, companies should look into 24 × 7 DDoS monitoring and mitigation solutions like manage web application firewall.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Before this, as the CTO @ Indusface, Venky created the product/service offering and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in the security industry and had held various mgmt/leadership roles in Product Development, Professional Services, and Sales @Entrust.