main

Application SecurityMobile DataMobile SecuritySecurity

Growing Your Business: Millennials and M-Commerce

December 6, 2018 — by Mike O'Malley0

mcommerce-960x640.jpg

Millennials are the largest generation in the U.S. labor force—a position they’ve held since 2016—and they’re involved in the majority (73%) of B2B purchasing decisions. Raised in the age of the Internet, they’re digital natives and easily adopt and adapt to new technologies. And mobile apps are their lifelines.

Why does this matter? Well, when you combine Millennials’ tech savviness with their business acumen, their clout in a digital economy comes into focus. As both decision-makers and connoisseurs of mobile technology, they can make or break you in a low-growth economy if your business model doesn’t square with their preferences.

In other words, if you’re not embracing mobile commerce, you may soon be ancient history. This generation has little-to-no use for brick-and-mortar storefronts, banks, etc., instead preferring to use apps for shopping, financial transactions and more.

Of course, making m-commerce a linchpin of your business model isn’t risk free; cybersecurity concerns are of critical importance. Increasingly, personal data protection is tied directly to consumer loyalty to a particular brand, and Millennials in particular care about how their data is used and safeguarded.

You Can’t Rush Greatness

While Millennials are renowned for an “I want it fast, and I want it now” attitude (which explains why 63% of them use their smartphone to shop every day, versus trekking to a store), the biggest mistake you can make is overlooking security in a rush to roll out a mobile strategy.

The fact is, vulnerabilities on m-commerce platforms can result in severe financial impacts; the average cost of a corporate data breach is $3.86 million. If a mobile app or mobile responsive e-commerce site is hit by an application attack, for example, short-term profit loss (which can escalate quickly) and longer-term reputation loss are serious risks. And as we move into 2019, there are several mobile security threats that we need to take seriously.

[You may also like: Are Your Applications Secure?]

Baking cybersecurity into your mobile strategy—as a core component, not an add-on—is, without question, necessary. The reason is manifold: For one thing, mobile devices (where your app primarily lives) are more susceptible to attacks. Secondly, mobile commerce websites are often implemented with a web application firewall to protect it.  Thirdly, Millennials’ reliance on m-commerce, both as B2B and B2C consumers, means you stand to lose significant business if your app or website go “down.” And finally, Millennials are security conscious.

Securing the Secure Customer Experience

So how can you help ensure your m-commerce platform, and thereby your Millennial customer base, is secure? A number of ways:

  • Guard your app’s code from the get-go. Test the code for vulnerabilities, ensure it’s easy to patch, and protect it with encryption.
  • Consider a Web Application Firewall (WAF) to secure your APIs and your website.
  • Run real-time threat analytics.
  • Be mindful of how customer data is stored and secured. (Don’t pull an Uber and store data unencrypted!)
  • Patch often. Because security threats evolve constantly, so must your security patches! Just ask Equifax about the importance of patching…

[You may also like: Growing Your Business: Security as an Expectation]

Of course, this isn’t an exhaustive list of proactive security measures you can take, but it’s a good start. As I’ve said time and time again, in an increasingly insecure world where security and availability are the cornerstones of the digital consumer, cybersecurity should never be placed on the back burner of company priorities. Don’t wait for an attack to up your security game. At that point, trust is broken with your Millennial customer base and your business is in trouble. Be proactive. Always.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

ComplianceSecurity

Marriott: The Case for Cybersecurity Due Diligence During M&A

December 4, 2018 — by Mike O'Malley0

Marriott-960x640.jpg

If ever there was a perfectly packaged case study on data breaches, it’s Marriott’s recently disclosed megabreach. Last week, the hotel chain announced that its Starwood guest reservation system was hacked in 2014—two years before Marriott purchased Starwood properties, which include the St. Regis, Westin, Sheraton and W Hotels—potentially exposing the personal information of 500 million guests.

The consequences were almost immediate; on the day it announced the breach, Marriott’s stocks were down 5% in early trading and two lawsuits seeking class-action status (one for $12.5 billion in damages) were filed. And the U.S. Senate started to discuss stiffer fines and regulations for security breaches. So far, this is all par for the course.

But what makes Marriott’s breach particularly noteworthy is the obvious lack of cybersecurity due diligence conducted during the M&A process.

Never Ever Skip a Step

In September 2016, Marriott International announced that it had completed the acquisition of Starwood Resorts & Hotels Worldwide, creating the largest hotel company in the world. In its press release, Marriott specifically touted the best-in-class loyalty program that the two brands, combined, could now offer members.

What Marriott International executives didn’t realize was that hackers had gained unauthorized access to Starwood’s loyalty program since 2014, exposing guests’ private information including names, phone numbers, email addresses, passport numbers, dates of birth, credit card numbers and more.

However, if Marriott had done its homework, it might have avoided the mountain of legal fees and compliance fines it now faces. In today’s digital age, cybersecurity due diligence during any M&A process is, without question, imperative.

[You may also like: The Million-Dollar Question of Cyber-Risk: Invest Now or Pay Later?]

And it’s not just security evangelists like myself who emphasize this. The American Bar Association likewise asserts that “it is critical to understand the nature and significance of a target’s vulnerabilities, the potential scope of the damage that may occur (or that already has occurred) in the event of a breach, and the extent and effectiveness of the cyber defenses the target business has put in place to protect itself. An appropriate evaluation of these issues could, quite literally, have a major impact on the value the acquirer places on the target company and on the way it structures the deal.”

The cost of cyberattacks is simply too great to not succeed in mitigating every threat, every time. A successful cyberattack and resulting data breach obliterates trust and destroys brands.

The Only Way Forward

When one company acquires another, it doesn’t just acquire assets. It also assumes the target company’s risks. Put simply, their gaps become your gaps.

In addition, lack of cybersecurity due diligence can actually undermine the value drivers of the deal.  In Marriotts’ case, a big driver was retention of the Starwood high value travelers: the people who make up the loyalty program. Due the pain these customers will now endure—changing credit card numbers, passports, etc.—this value driver has been irrevocably damaged.

It is critical that organizations incorporate cybersecurity into every fabric of the business, from the C-level to IT. Securing digital assets can no longer by delegated solely to the IT department; it must be infused into product and service offerings, security, and perhaps most importantly, development plans and business initiatives. In the case of Marriott, its $13 billion acquisition of Starwood represented a strategic initiative that involved the board of directors, C-level executives and management—all of whom are now partially responsible for the erosion of Marriott’s brand affinity.

[You may also like: Why Cyber-Security Is Critical to The Loyalty of Your Most Valued Customers]

And as we’ve written before, when it comes to loyalty programs, security must transition from the domain of reactive disaster recovery and business continuity into the realm of proactive protection. If loyalty programs are designed to focus on your most valuable customers, why wouldn’t its security fall in line with the other mission-critical assets and infrastructure responsible for servicing these very clients?

Marriott’s Starwood breach is an unfortunate case study for why CEO and executive teams must lead the way in setting the tone when it comes to securing the customer experience. When cybersecurity is overlooked or treated as an afterthought, the potential damage goes far beyond dollars and cents. Your very reputation is at stake.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

Attack MitigationHacksSecurity

Growing Your Business: Security as an Expectation

November 7, 2018 — by Mike O'Malley0

Growing_Your_Business-960x640.jpg

Who is responsible for my device and application security? This is a critical question in today’s growing threat landscape, and one without a clear answer. Despite increases in demands for mobile app and connected device security features, no key players—device manufacturers, consumers, mobile carriers or organizations that consumers do business with via devices—will take responsibility.

While this is certainly problematic, it also represents an opportunity to differentiate your business from competitors by baking security into your platform. Over 70% of C-suite executives report being greatly concerned about data privacy and 66% admit that their network is vulnerable to hacking. In light of this, security must be recognized and acknowledged beyond an add-on or premium feature; it must be treated as an integral feature for any business owner.

The True Cost of Data Insecurity

When security is included as a core component of a business, it strengthens customers’ perceptions of your company. In fact, security itself can be a key selling point that sways customers from competitors. Startups that especially integrate security as part of its foundational architecture have a competitive advantage over companies of all sizes that gloss over security or utilize it as an unsupported, unplanned add-on.

[You may also like: The Million-Dollar Question of Cyber-Risk: Invest Now or Pay Later?]

Indeed, security as an afterthought is a major, and potentially fatal, flaw during a company’s decision-making process. The average cost of a data breach is $3.9 million – an amount enough to put myriad companies in bankruptcy. But costs can be even higher. For example, Yahoo agreed to a settlement of $50 million following its 2013 data breach and had to pay an additional $37.5 million for attorney fees and expenses.  And it didn’t end there; the original $4.83 billion deal to sell Yahoo’s digital services to Verizon was also discounted by $350 million as an added penalty for decreased brand value and to amend for other potential related costs. The true cost of a data breach? Far more than the current visible numbers.

Potential Growth Areas

Instead of approaching security as an extra, optional cost, business owners would do well to view security as a core capability for revenue; the growth potential for security as an integrated core strategy is enormous. Need proof? Just look at the numerous security vulnerabilities that accompany the constant onslaught of innovative hacking threats. Commonplace attacks, like IoT botnets, mobile APIs and malware, show no evidence of going away anytime soon and companies that are prone to system vulnerabilities are at risk. Even threats from a decade ago, such as Trojan malwares, and exploitation of vulnerabilities are still utilized as attacks, either in their original form or through modifications like malware botnet Mirai.

[You may also like: Defending Against the Mirai Botnet]

This is why companies shouldn’t wait for the “perfect” security product; delaying an investment in security only increases a company’s risk factor for being attacked and potentially dooms one to a constant game of catch up—and enormous costs. Conversely, by adding new applications within a secure business framework from the start, businesses can ensure optimal protection without any extreme added costs.

The sooner a business incorporates security as a core piece of the business puzzle, the better they’ll be at protecting and mitigating threats, and capturing new revenue opportunities. 

Don’t let data seep through the cracks. Secure the customer experience now.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

DDoS AttacksHacksSecurity

Hacking Democracy: Vulnerable Voting Infrastructure and the Future of Election Security

November 6, 2018 — by Mike O'Malley1

election_security-960x640.jpg

It’s been two years since international interference sabotaged the United States’ election security, and still the vulnerability of our voting infrastructure remains a major problem. This past May, during Tennessee’s primary election, the Knox County election website fell prey to a DDoS attack. And just days ago, Texas voters experienced “ominous irregularities” from voting machines.

In the lead up to the midterm elections, Radware surveyed Facebook users on the safety of U.S. elections, and the results paint a gloomy picture. The overwhelming majority (93.4 percent) of respondents believe that our election system is vulnerable to targeting and hacking—and they’re correct. What’s more, respondents were unable to suggest long-term tenable solutions when asked how the U.S. can improve its election safety (which is understandable, given the complexity of the issue).

A Seriously Flawed Voting Infrastructure

It is alarmingly quick and easy to hack into U.S. voting systems; just ask the 11-year-old boy who earlier this year demonstrated how he could hack into a replica of the Florida state election website and change voting results in under 10 minutes.

Why is it so easy? A large part of the problem is a lack of consistency among state election systems in either protocols or equipment. Voting equipment varies from paper ballots, to punch cards to electronic touch screens. Some states manually count votes while others use automation. Because of these many variables, each state has different security flaws and different vulnerability of being hacked.

There are roughly 350,000 voting machines used in the U.S. today, according to Verified Voting. There are two types of machines: direct-recording electronic (DRE) machines, which are digital and allow voters to touch a screen to make their selections, and optical-scan systems. Optical-scan machines allow voters to make their selections on a paper ballot, which gets fed into an optical scanner and can be used later to verify the digital results. The DREs are of particular concern because all models are vulnerable to hacking. And because DREs do not provide a hard copy of the vote, it is difficult to double-check results for signs of manipulation.

[You may also like: Can Hackers Ruin America’s Election Day?]

Additionally, voting machines need to be programmed with ballot information, which likely happens by direct connection to the Internet. Precinct results are often centrally tabulated by state and local governments over their various local area networks, adding even more points of potential hacking and vote manipulation.

Multiple voting machines, multiple connection points, multiple network architectures, multiple tabulation systems. There is no consistent framework to secure thousands of potential different weaknesses.

Today, the burden lies with local municipalities, which are ill-equipped to deal with sophisticated, nationally-organized cyber security attacks by hostile foreign governments. That’s the bad news. But the good news is that we can do something about it.

We Need to Reboot

This midterm election, it’s estimated that 1 in 5 Americans will cast ballots on machines that do not produce a paper record of their votes. This is highly problematic when you consider that the Department of Homeland Security (DHS) identified election system hacking in 21 states—nearly half of the country—last September. If left unaddressed, these vulnerabilities will continue to threaten national security and our democratic system.

The federal government, through DHS, needs to help municipalities and government workers minimize risks and become smarter about election hacking issues by taking these steps:

  • Teach administrative staff about phishing scams, DDoS attacks, etc.  While election officials and staff are trained on the proper procedures and deployment of their voting systems, it is also important that be educated on cybersecurity events so that they are not as likely to fall prey to them and compromise local networks.
  • Do not open any attachments without confirming the attachment came from a trusted source. Attachments are one of the biggest security risks, particularly attachments coming from unknown, suspicious or untrustworthy sources.
  • Use best practices for password protection such as two-factor authentication so that security is maximized. This method confirms users’ identities through a combination of two different factors: something they know and something they have, like using an ATM bank card which requires the correct combination of a bank card (something that the user has) and a PIN (something that the user knows).
  • Keep all software updated. Turn on auto-updates on your phone and laptops – don’t wait to apply them.
  • Check for firmware updates on all printer and network devices as part of your regular patch management schedule as these devices can be weaponized. Updates can add new or improved security features and patch known security holes.
  • Do not conduct any non-government related activity while connected to the network – fantasy football, signing your kid up for soccer, etc.

[You may also like: DDOS Protection is the Foundation for Application Site and Data Availability]

The Future of Election Security

Looking forward, innovative technologies such as blockchain, digital IDs and electronic signatures should be considered on a single, national voting network. Some states, like West Virginia, have already deployed pilot programs enabling voting via a blockchain network to store and secure digital votes.

The threat of interference remains until we are on a secure nationwide election system. To preserve the democratic value of one person one vote, the U.S. must make the necessary security upgrades to prevent voter fraud, foreign influence campaigns and hacking of our election infrastructure. Federal legislation needs to be introduced to make this happen. Protecting our elections is a matter of national security, requiring immediate action and coordination at all levels of government.

 

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

BotnetsDDoSSecurityWAF

Protecting Sensitive Data: A Black Swan Never Truly Sits Still

October 10, 2018 — by Mike O'Malley1

protecting-sensitive-data-never-sit-still-960x540.jpg

The black swan – a rare and unpredictable event notorious for its ability to completely change the tides of a situation.

For cybersecurity, these nightmares can take the form of disabled critical services such as municipal electrical grids and other connected infrastructure networks, data breaches, application failures, and DDoS attacks. They can range from the levels of Equifax’s 2018 Breach Penalty Fines (estimated close to $1.5 billion), to the bankruptcy of Code Spaces following their DDoS attack and breach (one of the 61% of SMBs companies that faced bankruptcy per service provider Verizon’s investigations), to a government-wide shutdown of web access in public servants’ computers in response to a string of cyberattacks.

Litigation and regulation can only do so much to reduce the impact of black swans, but it is up to companies to prepare and defend themselves from cyberattacks that can lead to rippling effects across industries.

[You might also like: What a Breach Means to Your Business]

If It’s So Rare, Why Should My Company Care?

Companies should concern themselves with black swans to understand the depth of the potential long-term financial and reputation damage and suffering. Radware’s research on C-Suite Perspectives regarding the relationship between cybersecurity and customer experience shows that these executives prioritize Customer Loss (41%), Brand Reputation (34%), and Productivity/Operational Loss (34%). Yet, a majority of these same executives have not yet integrated security practices into their company’s security infrastructure such as their application DevOps teams.

The long-term damage on a company’s finances is note-worthy enough. IT provider CGI found that for technology and financial companies alone, they can lose 5-8.5% in enterprise value from the breach. What often goes unreported, however, is the increased customer onboarding costs to combat against large-scale customer churn following breaches.

For the financial sector, global accounting firm KPMG found that consumers not only expect institutions to act quickly and take responsibility, but 48% are willing to switch banks due to lack of responsibility and preparation for future attacks, and untimely notification of the breaches. News publication The Financial Brand found that banking customers have an average churn rate of 20-40% in 12 months, while a potential onboarding cost per customer can be within the $300-$20,000 range. Network hardware manufacturer Cisco estimates as high as 20% of customers and opportunities could be lost.

Just imagine the customer churn rate for a recently-attacked company.

How does that affect me personally as a business leader within my company?

When data breaches occur, the first person that typically takes the blame is the CISO or CSO. A common misconception, however, is that everyone else will be spared any accountability. But the damage is not limited to just security leadership. Due to the wide array of impacts that result from a cyberattack, nearly all C-level executives are at risk; examples include but are not limited to Equifax’s CEO, Richard Smith, Target CEO Gregg Steinhafel and CIO Beth Jacob. This results in a sudden emptiness of C-Suite level employees. Suddenly, there’s a lack of leadership and direction, causing its own internal combination of instability.

Today’s business leaders need to understand that a data breach is no longer limited to the company’s reputation, but the level of welfare of its customers. Just the event of a data breach can shatter the trust between the two entities. CEOs are now expected to be involved with managing the black swan’s consequences; in times of these hardships, they are particularly expected to continue being the voice of the company and to provide direction and assurance to vulnerable customers.

A business leader can be ousted from the company for not having taken cybersecurity seriously enough and/or not understanding the true costs of a cyberattack – that is, if the company hasn’t filed for bankruptcy yet.

Isn’t this something that my company’s Public Relations department should be handling?

One of the biggest contributors to the aftermath chaos of a black swan is the poor/lack of communication from the public relations team. By not disclosing a data breach in a timely manner, companies incur the wrath of the consumer and suffer an even bigger loss in customer loyalty because of delays. A timely announcement is expected as soon as the company discovers the incident, or according to the GDPR, within 72 hours of the discovery.

A company and its CEO should not solely depend on their public relations department to handle a black swan nightmare. Equifax revealed its data breach six weeks after the incident and still hadn’t directly contacted those that were affected, instead of creating a website for customer inquiries. Equifax continues to suffer from customer distrust because of the lack of guidance from the company’s leadership during those critical days in 2017. At a time of confusion and mayhem, a company’s leader must remain forthcoming, reassuring and credible through the black swan’s tide-changing effects.

Following the cybersecurity black swan, a vast majority of consumers must also be convinced that all the security issues have been addressed and rectified, and the company has a plan in place for any future repeated incidents. Those that fail to do so are at risk of losing at least every 1 in 10 customers, exhibiting the potential reach of impact a black swan can have within a company alone, beyond financial aspects.

How Do You Prepare for When the Black Swan Strikes?

When it comes to the black swan, the strategic method isn’t limited to be proactive or reactive, but to be preemptive, according to news publication ComputerWeekly. The black swan is primarily feared for its unpredictability. The key advantage of being preemptive is the level of detail that goes into planning; instead of reacting in real-time during the chaos or having a universal one-size fits all type of strategy, companies should do their best to develop multiple procedures for multiple worst-case scenarios.

Companies cannot afford to be sitting ducks waiting for the black swan to strike, but must have prepared mitigation plans in place for the likelihood. The ability to mitigate through extreme cyber threats and emerging cyberattack tactics is a dual threat to the company, depending on the level of cybersecurity preparation a company possesses. By implementing a strong cybersecurity architecture (internal or third-party), companies can adapt and evolve with the constant-changing security threats landscape; thereby minimizing the opportunities for hackers to take advantage.

In addition to having a well-built security system, precautions should be taken to further strengthen it including WAF Protection, SSL Inspections, DDoS Protection, Bot Protection, and more. Risk management is flawed due to its nature of emphasis on internal risks only. What’s been missing is companies must do more to include the possibilities of industry-wide black swans, such as the Target data breach in 2013 that later extended to Home Depot and other retailers.

It’s Time To Protect Sensitive Data

In the end, the potential impact of a black swan on a company comes down to its business owners. Cybersecurity is no longer limited to a CISO or CSO’s decision, but the CEO. As the symbol and leader of a company, CEOs need to ask themselves if they know how their security model works. Is it easily penetrated? Can it defend against massive cyberattacks?  What IP and customer data am I protecting?  What would happen to the business if that data was breached?

Does it protect sensitive data?

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Application SecurityCloud SecurityDDoS AttacksSecurityWAF

Protecting Sensitive Data: The Death of an SMB

September 26, 2018 — by Mike O'Malley1

protecting-sensitive-data-death-of-small-medium-business-960x522.jpg

True or False?

90% of small businesses lack any type of data protection for their company and customer information.

The answer?

Unfortunately true.

Due to this lack of care, 61% of data breach victims are specifically small businesses according to service provider Verizon’s 2018 Data Breach Investigations.

Although large corporations garner the most attention in mainstream headlines, small and mid-sized businesses (SMB) are increasingly attractive to hackers because of the combination of valuable records and lack of security protections. The high priority of sensitive data protection should not be limited to large companies but for organizations of all sizes.

While large corporations house large amounts of data, they are also capable of supporting their data center with the respective necessary protections. The combination of lacking security resources while maintaining sensitive personal information is what makes smaller-sized businesses the perfect targets for attackers. Hackers aren’t simply looking at how much information they can gather, but at the ease of access to that data – an area where SMB’s are largely deficient.

The bad publicity and dark connotation that data breaches hold create a survive-or-die situation for SMBs, but there are ways SMBs can mitigate the threat despite limited resources – and they exist in the cloud.

The Struggle to Survive

Because of their smaller stature as a company, most SMBs struggle with the ability to manage cybersecurity protections and mitigation of attacks – especially data breaches. In fact, financial services company UPS Capital found that 60% of smaller businesses fall out of business within six months after a cyberattack. Unlike business giants, SMBs cannot afford the financial hit of data breaches.

Security and privacy of sensitive data is a trending hot topic in today’s society, becoming more of an influence on customers’ purchase decisions. Customers are willing to pay more for provided security protections. Auditor giant KPMG reports that for mobile service providers alone, consumers would not hesitate to switch carriers if one provided better security than the other, as long as pricing is competitive or even for a moderate premium.

[You might also like: Protecting Sensitive Data: What a Breach Means to Your Business]

One Person Just Isn’t Enough

Many SMBs tend to prioritize their business over cybersecurity because of the false belief that attackers would go after large companies first. Research Center Ponemon Institute reports that 51% of its survey respondents say their company believes they are too small to be targeted. For businesses that do invest in cybersecurity, they narrowly focus on anti-virus solutions and neglect other types of attacks such as DDoS, malware, and system exploits that intrusion detection systems can protect from.

Auto dealerships, for example, are typically family-owned and operated businesses, valued at $4 million USD, with typically an average of 15-20 employees overall. Because of its size, of that number of employees there is typically only one employee that manages the IT responsibilities. Dealerships attempt to satisfy the need of security protection with this employee that has relevant certifications and experience; they are equipped with resources to support their day-to-day tasks, but not to manage high-level attacks and threats. Ponemon Institute’s research reports that 73% of its respondents believe they are unable to achieve full effective IT security because of insufficient personnel.

A study conducted by news publication Automotive News found that 33% of consumers lack confidence in the security protection of sensitive data at dealerships. The seriousness of cybersecurity protection, however, should not correlate to the number of employees but the amount and value of the sensitive data collected. The common error dealerships make isn’t the lack of care in their handling of sensitive data, but the underestimation of their likelihood of being attacked.

Dealerships collect valuable consumer information, both personal and financial – ranging from driver’s license information to social security numbers, to bank account information, and even past vehicle records. An insufficient budget and management of IT security make auto dealerships a prime target. In fact, software company MacKeeper in 2016 revealed a massive data breach of 120+ U.S. dealership systems made available on Shodan – a search engine for connected, but unsecured databases and devices. The source of the breach originated from backing up individual data systems to the vendor’s common central systems, without any cybersecurity protections in place.

The Answer is in the Clouds

Cybersecurity is often placed on the backburner of company priorities, perceived as an unnecessary expenditure because of the flawed perception and underestimated likelihood of being attacked. However, the level of protection over personal data is highly valued among today’s consumers and is enough to be the deciding factor for which OS or mobile app/site people would frequent, and likely which SMB they would patronize.

Witnessing the growing trend of data breaches and the rapid advancements of cyberattacks, SMBs are taking note and beginning to increase spending. It is crucial for organizations to not only increase their security budget but to spend it effectively and efficiently. Research firm Cyren and Osterman Research found that 63% of SMBs are increasing their security spending, but still experience breaches.

Internal security systems may seem more secure to smaller business owners, but SMBs lack the necessary security architecture and expertise to safeguard the data being housed. Cloud solutions offer what these businesses need: a data storage system with better security protection services. Meanwhile, in the same Cyren and Osterman Research report, only 29% of IT managers are open to utilizing cloud services. By utilizing cloud-based security as a solution, small-and medium-sized businesses no longer have to depend on one-staff IT departments, but can focus on the growth of their business. Cloud-based security solutions provide enterprise-grade protection alongside improved flexibility and agility that smaller organizations typically lack compared to their large-scale brethren.

Managed security vendors offer a range of fully-managed cloud security solutions for cyberattacks from WAF to DDoS. They are capable of providing more accurate real-time protection and coverage. Although the security is provided by an outside firm, reports and audits can be provided for a deeper analysis of not only the attacks but the company’s defenses. Outsourcing this type of security service to experts enables SMBs to continue achieving and prioritizing their business goals while protecting their work and customer data.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

SecurityService Provider

Protecting Sensitive Data: What a Breach Means to Your Business

August 29, 2018 — by Mike O'Malley0

data_falling_data_leaks-960x576.jpg

Data breaches have made big headlines in recent years, from Target to Equifax to Hudson’s Bay Co’s Saks and Lord & Taylor.  But the growing trend is actually in all the litigation stemming from data breaches. International law firm Bryan Cave analyzed the increasing trend of legal action following data breaches of all sizes. It found that in 2016 alone, there were 76 class action lawsuits related to data breaches:

  • 34% were within the medical industry
  • 95% had negligence as the most popular legal theory
  • 86% emphasized the breach of sensitive data

Our own research supports these findings. Radware’s 2018 Consumer Sentiments Survey found that 55% of U.S. consumers stated that they valued their personal data over physical assets, i.e. cars, phones, wallets/purses. In addition, Radware’s C-Suite Perspectives report revealed 41% of executives reported that customers have taken legal action following a data breach. Consequences of data breaches have extended past bad press, and include lasting effects on stock prices, customer acquisition costs, churn, and even termination of C-Suite level executives.

[You might also like: Consumer Sentiments About Cybersecurity and What It Means for Your Organizations]

Types of sensitive data vary by industry and therefore have respective attack methods. For example, the finance and commerce industry are expected to protect data such as names, contact information, social security numbers, account numbers and other financial information. Likewise, the healthcare industry is at high risk of data breaches, as medical records contain the same personal data in addition to more details that aid in identity fraud – such as doctor and prescription records, medical insurance information, and individual health attributes from height and weight to blood type.

On the surface, data breaches fall under the jurisdiction of CISO, CTOs, etc., but CEOs are now just as likely to be held responsible for these incidents; Target’s then-CEO was forced to resign following its 2013 data breach.  Other CEO’s at Sony and Home Depot were no longer in their positions within 6 months of their high profile breaches.

Laws and regulations surrounding data breaches are now moving at a faster pace due to steeper consequences, with the implementation of the European Union’s General Data Protection Regulation (GDPR) and the United States’ growing interest and demand in data privacy and protection. Security at its bare minimum is no longer realistic, and instead a competitive advantage for smart companies. C-level executives who aren’t reviewing security plans are opening themselves and their companies to significant liabilities.

How does GDPR affect me?

The GDPR’s purpose is providing protection over the use of consumers’ personal data. Companies are now held to a higher expectation to protect their customers’ data, further emphasizing the evolving consideration of cybersecurity as a necessity in business. At its strictest, companies found not having done enough can be penalized upwards of €20 million or 4% of the offending organization’s annual worldwide revenue.

Although data breaches alone are months of bad publicity in general, the wrath of consumers often stem from the delayed notification and response from the company. Companies incur this fury when they attempt to keep a data breach hidden only for it to be uncovered, resulting in increased litigation costs. The GDPR now mandates and upholds companies to the high standard of notifying data breach-affected consumers within 72 hours.

Targeted for a Data Breach

In 2013, one of the most notable, mainstream headlines focused on the data breach of Minnesota-based, retail giant Target Corporation. During the holiday shopping season, Target revealed their mass data breach of personal information, of which 40 million customers had personal financial data stolen and 70 million had general personal data (such as email and addresses) revealed. Attackers were able to exploit the company’s customer database through a third-party vendor’s stolen credentials, utilizing malware as the weapon of choice; the same malware was later utilized to attack other retailers such as Home Depot. Hackers after the finance and retail industry still utilize malware like Target’s 2013 data breach to create pathways from minimally-protected 3rd parties into more complex systems.

At the end of the investigation, Target had to pay a fine of $18.5 million across the U.S. in addition to its cumulative legal fees of a staggering $202 million for the data breach. What goes unmentioned however, is also the potential cost of lost customers from these breaches, as well as the brand reputation decline. The company must also abide to new Terms of Agreements by various State Attorney Generals that include requiring Target to employ a security leader for the creation and management of a thorough information security program, in addition to other related guidelines.

The Early Bird Avoids the Attack

Target became a lasting example of the need for cybersecurity to be implemented within a company’s architecture and business processes. The topic of protecting customer data has become its own high-profile discussion across various industries, rather than just within the technology industry. Being proactive with not only the security surrounding the company’s products/services, but also the data it collects, will be a competitive differentiator moving forward.

Radware research found that 66% of C-Suite Executives across the world, believed hackers could penetrate their networks, yet little is changed to implement protections as exhibited by the graphic below.

[You might also like: Cybersecurity & Customer Experience: Embrace Technology and Change to Earn A Customer’s Loyalty]

Sensitive data across all industries are valuable, coming at different prices in the dark net market. As data breaches are becoming more commonplace, industries have to take different levels of precaution in order to protect consumers’ personal data. For example, the healthcare industry heavily utilizes encryption to protect data such as medical records and prescription history. However, attackers are also implementing encryption attack tools in order to access this information. It is crucial for the cybersecurity systems of these organizations to be able to distinguish between valid encrypted information versus attack information encrypted with SSL, in order to prevent a breach. A comprehensively designed network infrastructure that consistently manages and monitors SSL and encryption technology through its security systems can ensure protected network and data privacy.

Transitioning cybersecurity from the hallways of IT and embedding it into the very foundation of business operations allows an organization to scale and focus on security innovation, rather than scrambling to mitigate new threats as they evolve or worse, litigating expensive class actions. In addition, this proactive approach further builds customer relationships via improved trust and loyalty. Knowing that cybersecurity is a company’s and CEO’s priority will help the customer feel more at ease with potential partnerships and strengthens the level of trust between.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

Attack Types & VectorsSecurity

Is My Smart Home Telling People What I Do Every Day?

February 13, 2018 — by Mike O'Malley4

smart-homes-iot-960x640.jpg

2017 will forever be known as the year that the smart home started to take off.  Researchers estimate that Amazon has sold over 15 million Echo devices  to date. Plus, Google has sold another 5 million Google Homes.  The overall smart home market is expected to grow to over $50 billion by 2022.  Already 1 in 4 U.S. households has some kind of smart device in their home.  With all the smart thermostats, smart fridges, smart light bulbs, smart doors and windows, personal assistants, and smart home surveillance, internet-connected home devices are rapidly stacking up in U.S. households. These devices are adding convenience and efficiency, but are they safe?