Rusty Carter, Vice President of Product Management at Arxan Technologies
At the beginning of May 2018, together with Ponemon, Arxan Technologies announced the findings of our 2018 Global Study on Application Security, surveying nearly 1,400 IT and IT security practitioners in the United States, European Union and Asia-Pacific.
The aim of this study was to understand the risks that unprotected applications pose to businesses when running in unsecured environments and how those businesses are addressing this risk.
The results of this survey indicated a predominant global issue: application breaches are rising and so are the security risks of running business critical apps in zero-trust environments. However, companies are not adequately investing in application security measures until after breaches occur, resulting in loss of productivity, customer trust and revenue.
Our study showed that nearly 75% of organisations are likely, most likely, or definitely have experienced a material cyber-attack or data breach within the last year due to a compromised application. However, it turns out only 25% of organisations are making a significant investment in solutions to prevent application attacks, despite awareness of the negative impact of malicious activity.
Why is an unprotected application so risky?
The majority of applications will contain some sort of personal identifiable information, such as name, age, email address, etc. Within the financial sector, these apps will almost certainly also contain payment details. In addition to this, applications are hosted on a device containing other applications and other personal or confidential details. This makes them a big target for hackers.
If a cybercriminal were to hack into an application, he or she would have access to all the above, as well as the ability to create a malicious version of that particular application.
Therefore, application protection and security are a must.
Data breaches, whoever they are suffered by, are a big deal.
The average data breach costs a business almost $4 million. This does not only relate to loss of revenue but other incremental losses including; loss of customer trust, the impact to operations, and ever-increasing insurance costs. Threats are only getting worse, nevertheless, if companies – particularly those within the financial industry – change the way they think about investing in application security, they will be much better protected and at much less risk of data breaches and their associated losses.
Threats to the financial industry
The finance industry is one of the most obvious targets for cybercriminals due to the sensitive nature of its data, its use of banking apps, as well as of course its direct access to, or handling of, money.
Earlier this year the finance industry was threatened by Meltdown and Spectre, during which even the most well-written banking apps were exposed to loss through the vulnerabilities. The industry suffered an increased risk of customer data such as account numbers and user credentials being exposed. The industry was shaken by this vulnerability threat and many responded by improving their cybersecurity strategy, however, more still needs to be done. Some organisations do continue to use unsecured applications and, unfortunately while they do so, we cannot be certain a similar threat will not come back to haunt the world of finance.
How can companies change their strategy?
Companies underestimate the threat vectors created by the widespread use of mobile applications. It is a relatively simple task to reverse engineer a mobile application giving access to IP, business logic or communication protocols. Many companies use encryption in the belief that this will give them enough protection, but they are wrong – it’s not enough. Companies believing that encryption provides a locked door against hackers are being lured into a false sense of security.
One of the most effective ways of protecting applications from the ever-growing cyber threat is through specific capabilities such as threat analytics. The real-time detection and reporting of threats to an application from the moment they are deployed is critical to adapting everything from application protection, to network and other datacentre defences, and that is exactly what threat analytics does.
Put simply, threat analytics provides visibility. It allows business owners to see who, how and from where applications are being attacked while those attacks are in progress. It also has the ability to rapidly deploy proactive countermeasures before an attack is completed or becomes widespread.
Other protection, which is highly recommended for banks and other financial institutions to implement as part of a standard security strategy, includes obfuscation and anti-reverse engineering and anti-tampering. By taking these precautions the threat of attack, and the consequential stealing of data and personal identifiable information, is reduced.
Changing the traditional mindset
It is disturbing that so many companies acknowledge the increasing risk of application attacks, yet they are doing very little to prevent breaches from occurring. As mentioned above, at the moment only 25% of respondents say their organisation is making a significant investment in solutions to prevent application attacks. This is not enough. Companies, both in the financial industry, and many others, have to change the way they think about investing in app security because threats are only going to get worse.