In the last year, we have seen security attacks tip over into terabyte territory. Itโs not something we expected to see so quickly or frequently but the future is here. Itโs not just private companies like retailers or banks that are experiencing attacks of this scale either, weโve seen the public sector succumb and weโve seen the infrastructure providers so many companies rely on fall foul.
Most notable was the attack on the French Hosting provider OVH, which was one of the first to see a terabyte attack. Professionals looking at security trends werenโt surprised to see terabytes recorded because they had been expecting them, it was the proliferation of bots behind the attacks that caused most alarm โ bots had gone mainstream.
Back in 2016, we saw a shift in denial of service attacks when brute force started to become the hackerโs tactic of choice. Advanced persistent denial of service attacks using aggressive automated bots started to grow in popularity. Fast forward a year and bots have become more sophisticated exploiting the digital transformation strategies many companies are embarking on.
Take for example retail. 40% of retailers say that three-quarters of all their internet traffic is from bots. For them, bots are integral to operations, used to provide online support chatbots through couponing to running price checking to support โprice promiseโ marketing strategies.
But as with so many new technologies especially ones that depend on applications and the cloud, progress is the use of bots has widened the security landscape and introduced more vulnerabilities that hackers can leverage.
For instance, web scraping attacks plague retailers. Bots are proactively used to steal intellectual property, undercut prices and hold mass inventory in limbo. Weโve seen an interesting trend for using bots to create new black markets. โSneaker botsโ, being the most common, whereby bots are designed to buy up the full inventory of exclusive, limited edition trainers so that they can then be sold through unauthorised channels at a markup.
Itโs not limited to sportswear either. Airline and concert tickets are highly prized. Yet even though retailers know it happens, 40% are unable to say if they are targets because they donโt have the ability to identify bad bots.
Thatโs worrying when you consider that earlier this year, Gartner predicted cloud services would grow by 18% as more companies embarked on transformation programmes. Companies canโt afford to be complacent when it comes to using the cloud for business transactions.
Just look at the fall out from Uberโs breach. Although a giant when it comes to developing apps that challenge the status quo and improve life itโs shown you can be made to look pretty small by the hacking community.
Itโs disruptive business model, though well loved by the investor community, has disrupted lives and stirred up social unrest among the driver community with riots from Paris to India to show for it.
Itโs made itself a target, a symbol of unethical business for ‘ethical hackers’ to go after. Whatโs most interesting though is that it wasnโt a very sophisticated hack. It really didnโt take much to get the data.
It would seem that the team developing the apps were sloppy in their processes and that security which should be integral to the design of the app was an afterthought. Itโs well known that the process of developing apps, DevOps, is often pressured by the need to get to market quickly and ahead of the competition, and to give venture capital investors a quick return on their investment. But itโs opening up huge risk โ in fact, research shows that half of DevOps initiatives donโt include security in design.
Thereโs no doubt that the use of applications to improve agility is why the cloud is so important to major corporations through to the latest fintech startup. Thereโs no better way to scale and disrupt industries. However, application development in particular continuous delivery models that are used in half the instances of app development comes at a price โ peopleโs privacy.
Senior IT directors even admit the risk,ย with two-thirds believing itโs flawed when it comes to security, underscored by the fact that half of all apps are not developed with security in mind. Security is well and truly an afterthought.
Plus, the APIs used by the apps arenโt using encryption. Only 48% of companies inspect the data that is being transferred between APIs and 51% donโt do any security audits or analyse potential security vulnerabilities before launch.
[clickToTweet tweet=”‘Given companies see attacks on their network most days, it is madness that this situation should occur’ via @radware” quote=”‘Given companies see attacks on their network most days, it is madness that this situation should occur'”]
Given companies see an attack on their network most days, it seems madness that this situation should occur. However, the need to get to market with innovative apps that will improve transaction times and ultimately attract more loyal customers appears to be deemed more important.
Itโs likely that the GDPR will change attitudes, and frankly, it must. Breaches wonโt be tolerated and the ICO will no doubt be looking to make an example of anyone who attempts to sweep things under the carpet. But even then there are question marks over readiness โ especially from across the Atlantic where less than 20% of companies trading in Europe think they will be compliant.
However, thatโs six months away. More urgent for retailers is the need to hit trading targets this Christmas. While billions may have been spent on Black Friday there are no guarantees that the trend for sales will continue. Itโs still possible consumers have had their blow out and wonโt spend in the next few weeks.
CIOs know they are in the firing line should transactions fail โ every sale will be critical. There is absolutely no room for outages. Whatโs more the investment in bots to make the customerโs experience easier and faster will really be tested. Get it wrong and consumers will vote with their feet.
That all places a huge amount of pressure on the telco sector to ensure online sites are always available, apps work every time and money goes through the tills.
But itโs a battle it appears to be losing, as 51% of retailers donโt think they can keep applications up and running 100% of the time. And to add further complexity, busy periods really test security measures with 30% of retailers admitting they canโt be sure they can secure sensitive data during peak trading times.
Once again business strategy is taking precedence over security. So how can businesses get it right? The most obvious answer is to include security in the design of applications.
Once again business strategy is taking precedence over security. So how can businesses get it right? The most obvious answer is to include security in the design of applications. But, of course, designs have to be tested and no matter how imperative it is to get to market companies must ensure the apps are secure, data is encrypted and it can be chased. These facets of development have to be part of the business case.
Not only that, but companies need to look ahead and consider how the technologies they use for very positive means are exploited by malicious hackers. In understanding how bots, for instance, can be used against them, they have a chance to develop security processes and policies that protect people and their data around the clock. ย After all, as retailers fight for survival and the ICO watches on intently every second will count.
Andrew Foxcroft is Radwareโs regional director for UK, Ireland, Nordics, where he leads the teams supporting some of the UKโs largest names in retail, finance, telecoms and gaming, as well as public sector organisations, with their application and network security.