2018, year when the CEBIT reinvents itself to become a digital fair-festival. Let’s have a look black on that event where we were.
A Brand-new CEBIT
Existing since 1986, the CEBIT had its best years in the 1990s-2000s. There were then up to 6,500 exhibitors and 800,000 visitors. Declining since, the CEBIT chose to transform into a fair-festival. Classic exhibition stands stay in the halls, meanwhile an open-air area in the middle of the exhibition grounds is dedicated to the festival. We can find there a Ferris wheel (SAP), a cloud lifter (IBM), a surf wave (INTEL), … various food trucks and concerts in evenings.
Cyberattacks regularly did the news in 2017. It keeps going in 2018, from the Olympic Games to the record-breaking DdoS attacks (for those who missed the news: memcached reflection attack). This gives the impression that there are more and more cyberattacks, and that they are bigger and bigger. But actually, what is the situation?
We have put together some 2017 interesting statistics related to cybersecurity, focusing on data related to our speciality: penetration test on web platform, mobile applications and IoT.
At a Glance
Two main points are to notice:
77% of organisations in the world were victims at least once of a successful cyberattack in 2017. (1)
On average, attacks are discovered after more than 6 months (191 days!) and corrected after more than 2 months (66 days). (2)
In one year from today, the General Data Protection Regulation (GDPR) will be enforced in the European Union. This new regulation aims at unifying everything that had been done until now in terms of data protection in the EU, but also goes one step further with the sanctions for unlawful companies, and broadens the definition of private data.
The sanctions for companies that do not respect the GDPR should be dissuasive enough with fines that could reach 4% of the global turnover up to €20 million. Europeans company are not the only one that could be penalized by the EU, as any company dealing with personal data of European citizens will have to comply with the GDPR.
The article 4(1) of the GDPR defines personal data as: « an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. » For example, under the category ‘online identifier’ fall the IP addresses or the navigation cookies, which were not considered before as personal data. Companies using data will need a “freely given, specific, informed and unambiguous” consent from the users (Art.4(11)). In practice companies will have to thoroughly explain to their users what will be done with their data.
Why is it important for companies?
This new regulation should have a positive impact on consumers and internet users. Trust being a fundamental criterion for people buying on an e-commerce platform or using online services, knowing that the website falls under the GDPR should reassure users. The whole web industry should then benefit from a better image. It could even be relevant for companies to communicate on the fact that they are compliant with the regulation and to explain to their users what it implies. This would surely be a competitive advantage for companies that are being proactive on the cybersecurity topic. Indeed, the GDPR also states that any data leaks must be reported to its users within 72 hours. Rather than a threat for companies’ reputation, this should be seen as an opportunity to level up their security level and processes.
What about users?
The GDPR will give to individuals a better control onto their data. This means that for any service they will use, they will be able to ask for their data and demand their destruction. Another benefit for European citizens is that they won’t have to worry about the nationality of a company before using its services. Indeed, all companies dealing with data from European citizens will have to comply with the GDPR regardless of whether they are based in Europe or not. This does not only benefit the individuals, but also European companies that could have feared unfair competition from outside the EU.
Our team has conducted a short survey about mobile application security perceptions amongst more than 100 companies developing mobile applications. The result is impressive : one half of these companies do not secure their applications especially because of a lack of risk awareness.
There are many SMBEs developing mobile applications
In this survey more than 100 mobile applications specialists have given their views (developers, project managers and product managers). 80% of them work for SMBEs, mostly software companies and IT consulting companies.
One in two companies does invest in mobile application security
This will not surprise cybersecurity specialists, but still it is worth noting that 1 out of 2 respondent says his company is concerned by mobile application security and has a budget for it. About 30% of respondents say that their company is interested in the topic but has not invested on it yet. While about 20% of respondents say that mobile application security is not a priority or that they do not even know what it is all about.
If we consider that the simple fact of answering a questionnaire about mobile security does already show a minimum of interest for the topic (or some good will), this excludes a number of people who feel unconcerned about it. So the results of this study are very likely to be too optimistic about people’s interest for security issues.
Mobile applications are everywhere. Personal and professional social networks, hotels and restaurant booking, calendaring, note taking, order taking, CRM software, stock management software, banking portals, financial management tools… All industries are concerned. A growing number of mobile applications store personal data – or even sensitive data – in the application itself or on a web server. This leads to strong needs for data security. However mobile security is largely ignored by companies that develop mobile…
On January 25th and 26th the 8th Cybersecurity International Forum (« Forum International de la Cybersécurité ») will take place in Lille, France. This is a great opportunity to learn about digital security trending topics and to meet cybersecurity expert firms. Data-related cybercrime, data insurance, crisis of users’ confidence, security incident management… Data is an omnipresent topic. In a technological context marked by Big Data, Smart Cities and IoT, data protection is absolutely vital. Recent…
The Data Breach Investigation Report 2015 (DBIR) released a few weeks ago by Verizon is the result of quite a huge analysis, representing 61 countries and describing almost 80K security incidents. This comes as a surprise to no one that web application attacks are an important topic in this report, and the figures coming out are very interesting.
Our main focus at VAADATA is web applications security, so we extracted web apps related information from this report and gathered it in this article.
Warning: The figures that follow are related to data breaches only, meaning that it does not provide a full overview of web application attacks. Other risks like brand damage or business continuity are not discussed here.
One first very interesting fact is about strategic web attacks: A strategic web attack can be considered as a first step in an overall cyber attack, where the attacker uses the website as a mean to serve up malwares, hoping that the final target will be infected to further the next steps of the attack. This means that the website is not necessary the target, but a secondary victim. Statistics tell us that there is a secondary victim in 70% of the attacks where the motive for the attack is known.
Data protection has been a very hot topic since the NSA spying scandal following Edward Snowden’s disclosures. In the spring of 2014, European Parliament adopted a regulation on personal data protection. 2015 promises to be a key year because the EU member states have to reach an agreement now.
The new regulation includes key measures for protecting the data of EU citizens: personal data breach notification requirement, impact evaluation analysis for the riskiest processing of data, clarifying of consent to collect and process personal data, creation of new rights concerning data portability and the deleting of personal information, as well as fines up to 5% of global annual turnover for companies who violate the rules.
The European regulation eIDAS (Electronic identification and signature) dated of July 2014 aims to boost trust in secure cross-border electronic transactions. It is an important step towards the standardisation of security rules within the European Union. How does it impact?
New Year is a good time for setting goals and changing old habits. Here are Vaadata’s suggestions about resolutions you can take for improving the security of your web apps.
1. I take an interest in web security issues
This is a first step. Obviously, you have heard of Sony Pictures and other major companies having been hacked in 2014. In fact, it is not just big companies who are prone to cyber attacks. Although we generally do not get news about small companies being hacked, this is a common phenomenon. A website that does not contain highly valuable data can be a valuable target for hackers who are seeking to take control over it and use it for attacking other websites. Of course, this causes high damages to the website’s owners when they eventually find that digital users are running away and that the reputation of their service has been ruined.
It is not a matter of choice: this is time for learning about security issues.