Category

News

Category

What is the GDPR?

In one year from today, the General Data Protection Regulation (GDPR) will be enforced in the European Union. This new regulation aims at unifying everything that had been done until now in terms of data protection in the EU, but also goes one step further with the sanctions for unlawful companies, and broadens the definition of private data.

The sanctions for companies that do not respect the GDPR should be dissuasive enough with fines that could reach 4% of the global turnover up to €20 million. Europeans company are not the only one that could be penalized by the EU, as any company dealing with personal data of European citizens will have to comply with the GDPR.

The article 4(1) of the GDPR defines personal data as: « an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. » For example, under the category ‘online identifier’ fall the IP addresses or the navigation cookies, which were not considered before as personal data. Companies using data will need a “freely given, specific, informed and unambiguous” consent from the users (Art.4(11)). In practice companies will have to thoroughly explain to their users what will be done with their data.

Why is it important for companies?

This new regulation should have a positive impact on consumers and internet users. Trust being a fundamental criterion for people buying on an e-commerce platform or using online services, knowing that the website falls under the GDPR should reassure users. The whole web industry should then benefit from a better image. It could even be relevant for companies to communicate on the fact that they are compliant with the regulation and to explain to their users what it implies. This would surely be a competitive advantage for companies that are being proactive on the cybersecurity topic. Indeed, the GDPR also states that any data leaks must be reported to its users within 72 hours. Rather than a threat for companies’ reputation, this should be seen as an opportunity to level up their security level and processes.

gpdr-grpd-security-website

What about users?

The GDPR will give to individuals a better control onto their data. This means that for any service they will use, they will be able to ask for their data and demand their destruction. Another benefit for European citizens is that they won’t have to worry about the nationality of a company before using its services. Indeed, all companies dealing with data from European citizens will have to comply with the GDPR regardless of whether they are based in Europe or not. This does not only benefit the individuals, but also European companies that could have feared unfair competition from outside the EU.

Our team has conducted a short survey about mobile application security perceptions amongst more than 100 companies developing mobile applications. The result is impressive : one half of these companies do not secure their applications especially because of a lack of risk awareness.

There are many SMBEs developing mobile applications

In this survey more than 100 mobile applications specialists have given their views (developers, project managers and product managers). 80% of them work for SMBEs, mostly software companies and IT consulting companies.

sc1

sc2

One in two companies does invest in mobile application security

This will not surprise cybersecurity specialists, but still it is worth noting that 1 out of 2 respondent says his company is concerned by mobile application security and has a budget for it. About 30% of respondents say that their company is interested in the topic but has not invested on it yet. While about 20% of respondents say that mobile application security is not a priority or that they do not even know what it is all about.

If we consider that the simple fact of answering a questionnaire about mobile security does already show a minimum of interest for the topic (or some good will), this excludes a number of people who feel unconcerned about it. So the results of this study are very likely to be too optimistic about people’s interest for security issues.

sc3

Mobile applications are everywhere. Personal and professional social networks, hotels and restaurant booking, calendaring, note taking, order taking, CRM software, stock management software, banking portals, financial management tools… All industries are concerned. A growing number of mobile applications store personal data – or even sensitive data – in the application itself or on a web server. This leads to strong needs for data security. However mobile security is largely ignored by companies that develop mobile…

On January 25th and 26th the 8th Cybersecurity International Forum (« Forum International de la Cybersécurité ») will take place in Lille, France. This is a great opportunity to learn about digital security trending topics and to meet cybersecurity expert firms. Data-related cybercrime, data insurance, crisis of users’ confidence, security incident management… Data is an omnipresent topic. In a technological context marked by Big Data, Smart Cities and IoT, data protection is absolutely vital. Recent…

The Data Breach Investigation Report 2015 (DBIR) released a few weeks ago by Verizon is the result of quite a huge analysis, representing 61 countries and describing almost 80K security incidents.
This comes as a surprise to no one that web application attacks are an important topic in this report, and the figures coming out are very interesting.

Our main focus at VAADATA is web applications security, so we extracted web apps related information from this report and gathered it in this article.

Warning: The figures that follow are related to data breaches only, meaning that it does not provide a full overview of web application attacks. Other risks like brand damage or business continuity are not discussed here.

One first very interesting fact is about strategic web attacks: A strategic web attack can be considered as a first step in an overall cyber attack, where the attacker uses the website as a mean to serve up malwares, hoping that the final target will be infected to further the next steps of the attack.
This means that the website is not necessary the target, but a secondary victim.
Statistics tell us that there is a secondary victim in 70% of the attacks where the motive for the attack is known.

statistiques attaques web illustration

Data protection has been a very hot topic since the NSA spying scandal following Edward Snowden’s disclosures. In the spring of 2014, European Parliament adopted a regulation on personal data protection. 2015 promises to be a key year because the EU member states have to reach an agreement now.

The new regulation includes key measures for protecting the data of EU citizens: personal data breach notification requirement, impact evaluation analysis for the riskiest processing of data, clarifying of consent to collect and process personal data, creation of new rights concerning data portability and the deleting of personal information, as well as fines up to 5% of global annual turnover for companies who violate the rules.

Security inspector

New Year is a good time for setting goals and changing old habits. Here are Vaadata’s suggestions about resolutions you can take for improving the security of your web apps.

Happy New Year 2015 - illustration

1. I take an interest in web security issues

This is a first step. Obviously, you have heard of Sony Pictures and other major companies having been hacked in 2014.
In fact, it is not just big companies who are prone to cyber attacks. Although we generally do not get news about small companies being hacked, this is a common phenomenon. A website that does not contain highly valuable data can be a valuable target for hackers who are seeking to take control over it and use it for attacking other websites.
Of course, this causes high damages to the website’s owners when they eventually find that digital users are running away and that the reputation of their service has been ruined.

It is not a matter of choice: this is time for learning about security issues.

The Ponemon Institute released last week the 5th annual Cost of Cyber Crime Study results.
The study benchmarked 257 organizations, in 7 different countries (United States, Germany, Japan, United Kingdom, France, Australia, Russia).

It is not a surprise that web-based attacks have a big role in cyber threats, in terms of costs and attack frequency.

Significant takeaways

The following facts are not directly related to web attacks, but are really interesting and give a big picture of today’s threats and cybercrime trends.

web application security statistics illustration

The recent report provided by Verizon, “Data Breach Investigation Report – 2014” gives us a lot of useful and very clear analysis of data breaches that occurred in 2013.
It goes without saying that it is a report based on what could be collected from organizations, meaning that it does not represent the reality, but it seems to be very close to it, if we consider the very large amount of data that has been collected.

One key point of this report is that 94% of data breaches that occurred in 2013 can be described by only 9 patterns. And guess what, the number #1 pattern, with 35% is Web Application Attacks.
Other patterns are POS intrusions, Insider Misuse, Physical theft/loss, Miscellaneous errors, Crimeware, Card skimmers, DoS attacks, cyber-espionage.