Not too long ago, CEOS, CTOs, and CIOs could remain removed from the arcane aspects of IT security strategy setting. As the seemingly endless parade of news stories about corporate data breaches makes clear, though, those days are long gone.
It’s increasingly obvious that an informed approach to digital security is (or should be) a cornerstone of every organization’s business strategy. Viewed in this context, it’s easy to see why boards of directors and C-level executives are becoming accountable for IT security risks. These executives must get educated about the issues and carefully consider their role in driving a security-centric culture in their organizations.
This is far from a simple proposition. The number and variety of threats to corporations’ digital assets are daunting to consider, but one threat eclipses all the rest: attacks on web applications.
Why? Because for attackers, web apps represent low-hanging fruit. Harvesting usernames and passwords through Account Takeover attacks, carried out via insecure web apps, is not terribly difficult for skilled hackers, and it can be highly profitable.
Stolen Credentials Can Lead to Lawsuits — and Worse
Examples of this type of attack include this month’s disclosure of the massive Yahoo hack, last month’s news of a major Dropbox breach, and the 2013 Adobe breach, among many others. What these events have in common is that they took anywhere from months to years to discover and be made public, and that they’ve caused major business headaches so far (and there could be much more to come).
In the case of the Yahoo hack, made public earlier this month, the ramifications will likely be felt for years. As of this writing, at least five lawsuits have been filed against Yahoo relating to the breach, and a half-dozen U.S. Senators have asked the company to explain what it knew about the hack, when they knew it -- and what they’re doing to protect users now.
And that’s not even the end of the bad news for Yahoo. Since the company was in the midst of its pending $4.8 billion acquisition by Verizon when the hack was disclosed, the future of that deal is now in question. The federal Securities and Exchange Commission may now investigate whether Yahoo met the mandated disclosure requirements regarding the breach.
Advice for Execs: Getting a Handle on Web App Security
For executives who want to take greater control of their organizations’ digital security, the first step is education. It’s critical to learn the basics about the various types of threats to corporate digital assets, particularly web applications. The Open Web Application Security Project (OWASP) provides lots of comprehensive, detailed information on this topic, including a series of cheat sheets on topics ranging from credential stuffing prevention to threat modeling. It makes sense for execs to check these out, and start an open-ended conversation with security engineers.
Less-technical folks won’t understand all the ins and outs of application security right away. But researching the parameters of the problem and asking for context from those in the trenches goes a long way. This is the first step to understanding the impact of web application security on the business as a whole. Other advice to consider:
- Recognize that web app security is not something you do once and forget about
- Understand that web app security budgets should be dependent on the specific problems to be solved and risks to be avoided
- Recognize that application security can’t be a piecemeal or haphazard activity, but needs to be baked into business strategy across the board
- Encourage a shift in emphasis from reactive responses to breaches, to proactive strategies to lessen the likelihood of future incidents
- Work with board members to help them see application security as another enterprise risk they need to prepare for and manage on an ongoing basis
Understanding the Stakes of Stolen Credentials
Need more incentive to get actively involved in securing web applications? As Dark Reading reported recently, 97 percent of the 1,000 largest companies in the Forbes Global 2000 list have been found to be at risk of attacks involving the use of stolen credentials belonging to their employees. And these attacks are costing companies more than ever.
The Ponemon Institute, in its latest annual Cost of Data Breaches study, found that the average cost of a data breach for companies surveyed has grown to $4 million, representing a 29 percent increase since 2013.
“Cybersecurity incidents continue to grow in both volume and sophistication, with 64 percent more security incidents reported in 2015 than in 2014,” according to the 2016 Cost of Data Breaches report.
Ponemon also found the longer it takes to detect and contain a data breach, the more costly it becomes to resolve. While breaches that were identified in fewer than 100 days cost companies an average of $3.23 million, breaches that were found after the 100-day mark cost over $1 million more on average ($4.38 million). The average time to identify a breach in the Ponemon study was estimated at 201 days, and the average time to contain a breach was estimated at 70 days.
One thing is clear: the time to act is now.