Security Lessons Learned in 2016
More than 2.2 billion records were stolen last year in almost 3,000 public data breaches. While the media spotlight was on big brand mishaps like that of Yahoo (over 1 billion records compromised); is it safe to assume that small businesses were overlooked by the hackers? Here are all the security lessons we learned in 2016.
You can start by finding out if your website vulnerabilities with Indusface Free Website Security Scan.
1. Startups and small businesses face bigger challenges.
Hackers do not differentiate between small and large companies. Their automated tools often scan to find out the weakest defenses across the web. Osterman Research’s survey purports that 71% of SMEs have suffered a security breach during the previous 12 months. Since these breaches are rarely made public, most SMEs are reticent about investing in appropriate security measures and personnel to address the risks associated with protecting their brand and their customer’s sensitive data. While enterprises usually have the budget to invest in an in-house application security team, smaller companies don’t have the leisure of this benefit.
2. Application-layer is still vulnerable.
A few years ago, Gartner found out that 70% of the cybersecurity threats were at the application layer. However, companies have failed to secure Layer 7 altogether even after all these years. Recently Ponemon Institute surveyed 600 IT leaders & found out that 49% of businesses have experienced ‘Web-based (web application) Attacks’ and noted these attacks as the most common threat facing businesses today. On the other hand, SANS Institute’s IT Security Spending Trends reports that companies still spend more on wireless security and network traffic visibility, which suggests that they still consider their network defenses the best means of protecting their sensitive data. Given that the majority of security vulnerabilities exist at the application layer, it’s imperative that SMEs start looking beyond the traditional security approach restricted to the network layer. They must have a plan to manage their web presence.
3. Ransom attacks continue to grow.
Hackers have found ransomware and application Distributed Denial of Service (DDoS) attacks as new weapons to hold companies against a ransom. Last year, when the TalkTalk database was breached, the company received a ransom demand from a group or individual that claimed the responsibility. They demanded approximately £80K in Bitcoins. This year, several such incidents have been reported where hackers threatened to launch DDoS attacks against companies that failed to pay the ransom.
According to a survey, 80 percent of IT security professionals believe that their organization will be threatened with a DDoS ransom attack in the next 12 months. Even more alarming is the fact that 43% of respondents believe it was possible that their organization pays for the ransom demand.
4. Customers prefer secure companies.
Nearly two-thirds (64%) of consumers surveyed worldwide, in a survey last year, say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen, and almost half (49%) had the same opinion when it came to data breaches where personal information was stolen.
The survey also highlighted that around a quarter (23%) of respondents who have been a victim of a data breach, either have or would, consider taking legal action against the breached company involved in exposing their personal information. With customers getting cautious of their choices, it becomes mandatory for brands to secure not only their money but also Personally Identifiable Information (PII).
Securing Your Business with Indusface
The year 2016 has crushed security perception for organizations around the world. No company is truly secure without shielding the ‘most vulnerable’ communication layer, i.e. Layer 7/Web Application. Indusface, through its Total Application Security solution, helps businesses detect, protect and monitor such application-layer threats including automated attacks. Offered as a service, it provides full management of the operation using subject matter experts at a fraction of the cost of hiring an in-house team. It includes:
- Latest security notification to protect your applications from known vulnerabilities
- Periodic website penetration testing
- Business logic tests on all applications to find vulnerabilities, zero-day threats, and automated application risks
- Custom WAF rules to block attacks (via virtual patching). Keep in mind that Verizon’s DBIR stated that 70-90% of all malware samples are unique to an organization.
- Tracking malicious behavior of an attacker initially versus simply blocking the attack.
- 24*7 monitoring to gather information such as IP address, User ID if authenticated, GEO location, navigation/user behavior and machine fingerprint that can help gain intel about the attacker’s methodologies to use that information in creating more aggressive blocking rules from these attackers.
Find out how it secures your business and customers with a Free Forever Plan today.