Substantial Rise in Bot-Driven Internet Traffic Presents a Glaring Blind Spot for IT Security
As 79% of Organizations Can’t Tell For Certain If Web Traffic Comes From Humans Or Bots
Radware® (NASDAQ: RDWR), a leading provider of cyber security and application delivery solutions, released a new study today titled Radware Research: Web Application Security in a Digitally Connected World. The report takes an in-depth look into how organizations protect their web applications, and identifies clear gaps in security among common DevOps practices, highlights top attack types and vectors, as well as identifies key areas of risk and concern.
The research, which focused on such highly targeted industries as retail, healthcare and financial services, exposes the proliferation of bot-driven Web traffic and its impact on organizations’ application security. In fact, bots conduct more than half (52%) of all Internet traffic flow. For some organizations, bots represent more than 75% of their total traffic. This is a significant finding considering one-in-three (33%) organizations cannot distinguish between ‘good’ bots and ‘bad’ ones.
The report also found that nearly half (45%) of respondents had experienced a data breach in the last year, and 68% are not confident they can keep corporate information safe. What’s more, companies often leave sensitive data under-protected. In fact, 52% do not inspect the traffic that they transfer to-and-from APIs, and 56% do not have the ability to track data once it leaves the company.
Any organization that collects information on European citizens will soon be required to meet the strict data privacy laws imposed by General Data Protection Regulations (GDPR). These regulations take effect in May 2018. However, with less than a year until the due date, 68% of organizations are not confident they will be ready to meet these requirements in time.
“It’s alarming that executives at organizations with sensitive data from millions of consumers collectively don’t feel confident in their security,” said Carl Herberger, Vice President of Security Solutions at Radware. “They know the risks, but blind spots continue to pose a threat. Until companies get a handle on where their vulnerabilities are and take steps to protect them, major attacks and data breaches will continue to make headlines.”
According to Dr. Larry Ponemon, "This report clearly shows that pressure to continuously deliver application services limits DevOps' ability to ensure web application security at various stages in the SDLC."
Key Survey Findings Include:
- Application security is an afterthought. Everyone wants the full automation and agility that the continuous delivery model of app development provides. Half (49%) of the respondents currently use the continuous delivery of application services and another 21% plan to adopt it within the next 12-24 months. However, continuous delivery can compound the security challenges of app development: 62% reckon it increases the attack surface and approximately half say that they do not integrate security into their continuous delivery process.
- Bots are taking over. Bots are the backbone of online retail today. Retailers use bots for price aggregation sites, electronic couponing, chatbots, and more. In fact, 41% of retailers reported that more than 75% of their traffic comes from bots, yet 40% still cannot distinguish between “good” and “bad” bots. Malicious bots are a real risk. Web scraping attacks plague retailers by stealing intellectual property, undercutting prices, holding mass inventory in limbo, and buying out inventory to resell goods through unauthorized channels at markup. But bots are not the exclusive problem of retailers. In healthcare, where 42% of traffic is from bots, only 20% of IT security execs were certain they could identify the “bad” ones.
- API security is often overlooked. Some 60% of organizations both share and consume data via APIs, including personally identifiable information, usernames/passwords, payment details, medical records, etc. Yet 52% don’t inspect the data that is being transferred back and forth via their APIs, and 51% don’t perform any security audits or analyze API vulnerabilities prior to integration.
- Holidays are high risk for retailers. Retailers face two distinct but highly damaging threats during the holidays: outages and data breaches. Web outages during the holiday season, when retailers make most of their profits, could have disastrous financial consequences. Yet more than half (53%) are not confident in their ability to provide 100% uptime of their application services. High-demand periods like Black Friday and Cyber Monday also spell trouble for customer data: 30% of retailers suggest they lack the ability to secure sensitive data during these periods.
- Patient healthcare data is at risk. Just 27% of healthcare respondents have confidence they could safeguard patients’ medical records, even though nearly 80% are required to comply with government regulations. Patching systems is critical to an organization’s security and its ability to mitigate today’s leading threats, but some 62% of healthcare respondents have little or no confidence in their organization’s ability to rapidly adopt security patches and updates without compromising operations. More than half (55%) of healthcare organizations said they had no way to track data shared with a third party after it left the corporate network. Healthcare organizations are particularly unlikely to monitor the Darknet for stolen data, with 37% saying they did so, compared to 56% in financial services, and 48% in retail.
- Multiple touchpoints equal higher risk. The rise of new financial technology (like mobile payments) has increased the access and volume of engagement with consumers, which, in turn, increases the number of access points with vulnerabilities and expands the risk security executives face. While 72% of financial services organizations share usernames and passwords and 58% share payment details via APIs, 51% do not encrypt that traffic, potentially exposing valuable customer data in transit.
The survey, conducted by Ponemon Research on behalf of Radware, included responses from more than 600 chief information security officers and other security leaders across retail, healthcare, and financial services in six continents.
To read the full report on the survey’s findings, download Radware Research: Web Application Security in a Digitally Connected World Report.
THIS PRESS RELEASE AND THE REPORT ARE PROVIDED FOR INFORMATIONAL PURPOSES ONLY. THESE MATERIALS ARE NOT INTENDED TO BE AN INDICATOR OF RADWARE'S BUSINESS PERFORMANCE OR OPERATING RESULTS FOR ANY PRIOR, CURRENT OR FUTURE PERIOD.
Radware® (NASDAQ: RDWR), is a global leader of application delivery and cyber security solutions for virtual, cloud and software defined data centers. Its award-winning solutions portfolio delivers service level assurance for business-critical applications, while maximizing IT efficiency. Radware’s solutions empower more than 10,000 enterprise and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity and achieve maximum productivity while keeping costs down. For more information, please visit www.radware.com.
Radware encourages you to join our community and follow us on: Facebook, Google+, LinkedIn, Radware Blog, SlideShare, Twitter, YouTube, Radware Connect app for iPhone® and our security center DDoSWarriors.com that provides a comprehensive analysis on DDoS attack tools, trends and threats.
©2017 Radware Ltd. All rights reserved. Radware and all other Radware product and service names are registered trademarks or trademarks of Radware in the U.S. and other countries. All other trademarks and names are property of their respective owners. The Radware products and solutions mentioned in this press release are protected by trademarks, patents and pending patent applications. For more details please see: https://www.radware.com/LegalNotice/
Safe Harbor Statement
This press release may contain statements concerning Radware’s future prospects that are “forward-looking statements” under the Private Securities Litigation Reform Act of 1995. Statements preceded by, followed by, or that otherwise include the words "believes", "expects", "anticipates", "intends", "estimates", "plans", and similar expressions or future or conditional verbs such as "will", "should", "would", "may" and "could" are generally forward-looking in nature and not historical facts. For example, when we say “Until companies get a handle on where their vulnerabilities are and take steps to protect them, major attacks and data breaches will continue to make headlines,” we are making a forward looking statement. Because such statements deal with future events, they are subject to various risks and uncertainties and actual results, expressed or implied by such forward-looking statements, could differ materially from Radware's current forecasts and estimates. Factors that could cause or contribute to such differences include, but are not limited to: the impact of global economic conditions and volatility of the market for our products; changes in the competitive landscape; inability to realize our investment objectives; timely availability and customer acceptance of our new and existing products; risks and uncertainties relating to acquisitions; the impact of economic and political uncertainties and weaknesses in various regions of the world, including the commencement or escalation of hostilities or acts of terrorism; Competition in the market for Application Delivery and Network Security solutions and our industry in general is intense; and other factors and risks on which we may have little or no control. This list is intended to identify only certain of the principal factors that could cause actual results to differ. For a more detailed description of the risks and uncertainties affecting Radware, reference is made to Radware’s Annual Report on Form 20-F, as amended, which is on file with the Securities and Exchange Commission (SEC) and the other risk factors discussed from time to time by Radware in reports filed with, or furnished to, the SEC. Forward-looking statements speak only as of the date on which they are made and, except as required by applicable law, Radware undertakes no commitment to revise or update any forward-looking statement in order to reflect events or circumstances after the date any such statement is made. Radware’s public filings are available from the SEC’s website at www.sec.gov or may be obtained on Radware’s website at www.radware.com.