Digital analytics is the core of businesses today. What one says is just an opinion if not backed by concrete data. Isn’t it the same with web application security too? Every security professional needs some substantial figures behind the belief that appsec is going to be the most crucial vector for public-facing websites. Here are some key stats that your company should not be missing.

1. 30,000 websites are hacked daily, which means that around 10 million sites are hacked in a year.

2. 32,323 public Indian website were hacked in 2014 with 14% Y-o-Y increase.

3. 155 .GOV and .NIC domains were hacked last year.

4. 1,000,000,000 (a billion) personal records were stolen globally last year.

5. Around 75% of the data breaches happen at the application layer.

6. According to CIOs, financial loss, reputations damage, and disruption of the business are key damages that they faced immediately after the breach.

7. Illicit financial gains is the motive behind 58% of the cyber-attacks.

8. Sensitive data is also allures hackers. Major Indian song portals and taxi-for-hire websites were hacked for credit card and user information.

9. Last year, it was reported that 90% of mobile banking applications were vulnerable to attack.

Key takeaways: Unless companies operate their business in a vacuum, they cannot overlook the risk of hacking. This risk is real and getting graver with more money being pumped into the online economy. Information Technology research giant Gartner has already predicted that increasing adoption of cloud and mobile will drive security market, which is estimated to $76.9 billion by this year and $170 billion by 2020.

Phishing

10. 156 million phishing emails are sent every day. The figure crosses 56 billion in a year.

11. 16 million emails manage to pass the spam filters successfully every day.

12. Around 800, 000 links in these spam emails are clicked on a daily basis.

13. Phishing causes companies an estimated loss of $28.1 billion.

14. There is an acute lack of awareness on phishing attacks in employees across the world. Such attack are even more dangerous when employees are using their official user rights in the network.

15. Advanced phishing attacks also use social engineering to extract user information through social networking.

16. One phishing attack is carried out every minute.

17. Is it easy to identify phishing mails? Survey shows that 97% internet population cannot differentiate a sophisticated phishing mail.

Key takeaways: Modern phishing is not just a risk for customers and users but also businesses at large. Phishing is increasingly being used to launch sophisticated Cross-Site Scripting attacks to steal sensitive information.

OWASP Top 10

18. SQL Injection was discovered 15 years ago but it is still the most dangerous vulnerability. It even tops the OWASP Top 10 list.

19. Around 97% of all the data breaches across the world happen due to SQL Injection.

20. Cross Site Scripting, on the other hand, is the easiest way to compromise sites.

21. 91% of the websites detected with ‘Critical’ vulnerabilities tested by Indusface Web Application Scanning had SQL Injection vulnerability.

Key takeaways: OWASP vulnerability detection and protection is the first step towards securing web and mobile applications. It is unfortunate that even some of the major online brand names overlook app security and compliance.

Malware

22. Malware exist in computers of around 40% of the computer users.

23. There are more than 400, 000, 000 types of malware today.

24. 80, 000, 000 types of malware have been identified recently.

25. Malware is the top reasons behind sites getting blacklisted by search engines and site index portals.

26. 97% of all types of mobile malware affects Android devices solely.

Key takeaways: Malware like virus, worms, adware, and Trojan horses affects web and mobile applications at large. Data breach, blacklisting, DDoS, and loss of business reputation are some of the severe risks that companies face if malware is not prevented. Regular scanning for malware detection is critical.

Distributed Denial of Services

27. DDoS attacks cost banks up to $100, 000 per hour.

28. 20% of such attacks last for days and even months.

29. A lot of attackers also use DDoS as a diversion for other kinds of application attacks.

30. 87% of the attacked companies were hit more than once.

31. Attacks within bandwidth of 1-5 GB have increased by 150%.

32. Competitors launch DDoS attacks to disrupt business on high sale volume days.

33. Companies need around 10 employees to mitigate DDoS.

34. It is impossible to detect and prevent all types of DDoS attacks unless traffic to the application is monitored continuously.

35. The estimated cost of successful DDoS attack for a company is anywhere between $5,000 and $19,999 an hour.

Key takeaways: With intrusion prevention systems and network firewalls failing to detect application distributed denial of services, companies should look into 24 × 7 DDoS monitoring and mitigation solutions like manage web application firewall.

Don’t know if your website is secure? Get it tested for free here

Research Sources:

  • Indusface research, reports, whitepapers, and case studies
  • Forbes
  • The Dark Reading
  • KPMG
  • Government of Canada
Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.