Bot traffic is taking over the Web
Bots conduct more than half (52 percent) of all Internet traffic flow today, and for some organizations they represent more than 75 percent of their total traffic, according to a new report from the Ponemon Institute sponsored by cyber security vendor Radware.
This is a significant finding, the study said, considering that one third of organizations can’t distinguish between “good” bots and “bad” ones.
The report, based on a global survey of more than 600 security executives from the retail, healthcare, and financial services sectors, found that nearly half (45 percent) of respondents had experienced a data breach in the last year.
More than two thirds (68 percent) are not confident they can keep corporate information safe. In addition, companies often leave sensitive data under-protected. More than half (52 percent) do not inspect the traffic they transfer to-and-from APIs, and 56 percent do not have the ability to track data once it leaves the company.
“It’s alarming that executives at organizations with sensitive data from millions of consumers collectively don’t feel confident in their security,” said Carl Herberger, Vice President of Security Solutions at Radware.
“They know the risks, but blind spots continue to pose a threat. Until companies get a handle on where their vulnerabilities are and take steps to protect them, major attacks and data breaches will continue to make headlines.”
Key survey findings include:
Application security is an afterthought
Everyone wants the full automation and agility that the continuous delivery model of app development provides. Half (49%) of the respondents currently use the continuous delivery of application services and another 21% plan to adopt it within the next 12-24 months. However, continuous delivery can compound the security challenges of app development: 62% reckon it increases the attack surface and approximately half say that they do not integrate security into their continuous delivery process.
Bots are taking over
Bots are the backbone of online retail today. Retailers use bots for price aggregation sites, electronic couponing, chatbots, and more. In fact, 41% of retailers reported that more than 75% of their traffic comes from bots, yet 40% still cannot distinguish between “good” and “bad” bots. Malicious bots are a real risk. Web scraping attacks plague retailers by stealing intellectual property, undercutting prices, holding mass inventory in limbo, and buying out inventory to resell goods through unauthorized channels at markup. But bots are not the exclusive problem of retailers. In healthcare, where 42% of traffic is from bots, only 20% of IT security execs were certain they could identify the “bad” ones.
API security is often overlooked
Some 60% of organizations both share and consume data via APIs, including personally identifiable information, usernames/passwords, payment details, medical records, etc. Yet 52% don’t inspect the data that is being transferred back and forth via their APIs, and 51% don’t perform any security audits or analyze API vulnerabilities prior to integration.
Holidays are high risk for retailers
Retailers face two distinct but highly damaging threats during the holidays: outages and data breaches. Web outages during the holiday season, when retailers make most of their profits, could have disastrous financial consequences. Yet more than half (53%) are not confident in their ability to provide 100% uptime of their application services. High-demand periods like Black Friday and Cyber Monday also spell trouble for customer data: 30% of retailers suggest they lack the ability to secure sensitive data during these periods.
Patient healthcare data is at risk
Just 27% of healthcare respondents have confidence they could safeguard patients’ medical records, even though nearly 80% are required to comply with government regulations. Patching systems is critical to an organization’s security and its ability to mitigate today’s leading threats, but some 62% of healthcare respondents have little or no confidence in their organization’s ability to rapidly adopt security patches and updates without compromising operations. More than half (55%) of healthcare organizations said they had no way to track data shared with a third party after it left the corporate network. Healthcare organizations are particularly unlikely to monitor the dark net for stolen data, with 37% saying they did so, compared to 56% in financial services, and 48% in retail.
Multiple touchpoints equal higher risk
The rise of new financial technology (like mobile payments) has increased the access and volume of engagement with consumers, which, in turn, increases the number of access points with vulnerabilities and expands the risk security executives face. While 72% of financial services organizations share usernames and passwords and 58% share payment details via APIs, 51% do not encrypt that traffic, potentially exposing valuable customer data in transit.