Attacks on web applications account for 40 percent of cyberattacks – how secure is your website?
Your website is one of your most valuable assets. For your customers it can act as a shop window to your products and services, a source of valuable company information, or a full retail trading platform.
For your organization, your website is invaluable for generating new business and providing insight into visitor behavior and preferences. However, this also makes your website a prime target for attack by cybercriminals looking to harvest company and customer data. In this post we’ll explain what website security is, why it is so important and how you can go about ensuring your site is protected.
What is website security?
There are several common attack methods that criminals employ when targeting company websites.
One method is to leverage third party technologies to sneak in ‘the back door’ to your website. These services provide value to visitors’ engagement with your website in the form of live chat bots, social media buttons, or advertisements. The problem is that third-party vendors can often make changes to their scripts without any permission from your website, creating a security blind spot which hackers can exploit while your security and IT teams may be completely unaware of the problem.
However, attacks on web applications through cross-site scripting (XSS) – where attackers inject malicious scripts into an organization’s website – accounted for almost 40 percent of the top ten exploits in Q3 2018.
Attacks can also be carried out by modifying the DOM environment in your site’s browser – with the vulnerability in the client-side code rather than server-side, this type of attack is harder to detect, as the server never gets a chance to see the attack taking place.
Here are a few examples of other automated threats to web applications:
- Scraping and Data Theft: Hackers use bots try to access restricted areas in web applications to get a hold of sensitive data such as access credentials, payment information and intellectual property (IP).
- Performance: Bots can impact the availability of a website, bringing it to a complete or partial denial-of-service state.
- Spammers and Malware Downloaders: Targeting mobile and web applications, criminals use sophisticated techniques like spoofing their IPs, mimicking user behavior, and abusing open-source to bypass CAPTCHA, challenges and other security heuristics.
The dangers of laissez-faire attitudes to web security
What’s worrying is an apparent lack of awareness or responsibility when it comes to cyber security, even among the most popular websites. Research by WatchGuard shows 6.8 percent of the top 100,000 websites use insecure SSL protocols, and 20.9 percent do not use web encryption at all, leaving fully open to data interception or man-in-the-middle (MitM) attacks.
One recent example of inadequate website security is the Nova Scotia government, which has been criticised for “poor overall project management” and a “serious failure of due diligence” after a series of data breaches to one of its websites exposed 7,000 documents containing citizens’ personal information.
The information and privacy officer for the region has recommended the government conducts an inventory of technology solutions, devices and applications across the government and rate their vulnerabilities while creating a plan to mitigate cybersecurity vulnerabilities.
Unfortunately, this is not an isolated incident. Our research show that 87 percent of enterprise businesses do not review the security of their customer data, indicating an apathetic approach to website security. If exploited, this can have a serious impact on the business, as many organizations have discovered in recent years.
It doesn’t matter if the website is public sector-run, holding data such as social security numbers or medical information, or a retailer that stores their customers’ credit card or bank details – the fallout can be dramatic, and costly.
Understanding the risks of poor website security
Latest figures calculate the average cost of a cyberattack now exceeds $1 million (£780,000), an increase of 52 percent over the past year. Radware’s recently published 2018-2019 Global Application and Network Security Report, says this figure takes into account operational and productivity losses, combined with negative customer experience.
- 43 percent of firms reported negative customer experiences and reputation loss following a successful attack
- 37 percent suffered brand reputation loss and one in four lost customers
- 54 percent reported loss of productivity
Breaking these costs down further, the most common expenses following an attack or data breach include:
- Direct costs: Extended labor, investigations, audits, software patches development, etc.
- Indirect costs: Crisis management, fines, customer compensation, legal expenses, share value
- Prevention: Emergency response and disaster recovery plans, hardening endpoints, servers and cloud workloads
The number of organizations under attack from cybercrime is also on the rise. The same report shows that most organizations have experienced some type of attack within the course of a year, with only seven percent claiming not to have experienced an attack at all. Those who reported the highest damage are from retail and high-tech sectors.
- Data leakage and information loss remain the biggest concern to more than a third of businesses, followed by service outages
- Application-layer attacks cause considerable damage; two-thirds of firms experienced application-layer DoS attacks and 34 percent foresee application vulnerabilities being a major concern in the coming year
- More than half reported making changes and updates to their public-facing applications monthly, while the rest made updates more frequently, driving the need for automated security
Website security checks: a necessity
In light of the heightened risks associated with a data breach, consistent monitoring the security of your website is a must. However, it can be difficult to track and manage all your third-party technologies, plus any other technologies that piggy-back on these.
This is where you need a website security solution like our MarSec™ platform, which enables you to feel confident in your website security posture, while having the flexibility to run your business.
The website security solution also fixes the problem of client-side vulnerabilities by extending protection beyond your company network to other susceptible areas.
With high-profile cyberattacks an increasingly common occurrence, it pays to be proactive in your approach to website security checks, because as we’ve seen, the fallout from a data breach can have catastrophic implications for your business.
Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.