Boards have woken up to the value of security, but it doesn’t make the fight any easier

Hologram of security padlock operating on the electronic circuit CPU.
(Image credit: Getty Images)

We have at last witnessed a shift in the world of security. It’s definitely one we should reflect on. That is, in latest research with c-suite execs across the world, 98 per cent say that security is a shared responsibility and that they spend half their time thinking about it. In fact, 72 per cent of execs now say security is on the agenda every time the board meets.

For as long as I can remember, security execs have been banging a large and loud drum that the board needs to take security seriously and not pay it lip service. That the role of Chief Security Officer (CSO) needs to be formed and taken as seriously as the CEO’s.

There will be numerous reasons that we have reached this juncture. Not least the change in legislation will have prompted some action. GDPR in Europe is certainly taking hold, with 52 per cent of European execs having self-reported an incident under GDPR last year – the net result of the deluge of attacks, which for some are a daily occurrence.

I’d bet one reason is the cost they have felt or have witnessed other companies bear after a cyber-attack. The average amount stated was $4.6m, and with the Mondelez v Zurich case still rumbling on, it’s a word of caution that even insurance won’t get you out of a cyber-security hole.

And then there is the changing mood of consumers. With 74 per cent of companies admitting to a data breach in the last year, it stands to reason people are fed up with the risks they contend with when choosing a company to do business with. It’s costing businesses big time – on average $100,00 to win back a customer, and a customer churn of 30 per cent. Those numbers are horrible reading in anyone’s marketing book.

Security is a business driver

Last year, execs say that security incidents without doubt contributed to customer brand reputation loss in half the cases, and revenue loss or operational loss in a third. No wonder security is on the agenda.

No matter the reasons, what’s heartening is that the board now considers security not as a problem but a driver for its business. We have reached a point where security can be used for brand management – quite a significant point - as two thirds of execs say security is a key part of their marketing messages.

It’s recognised as a way to reassure customers, differentiate and even innovate product witnessed by the fact that 50 per cent of companies surveyed offer dedicated security products and services to their customers now and some 40 per cent are offering security features as add-ons.

The fact that billions of dollars have been invested in transformation programmes, cloud technologies and applications has been a boon for creating this marketing approach. But it’s also meant the flood gates are open for security breaches and the fact the board recognise the importance of security is now a double-edged sword. Money has to spent on ensuring they live up to the security expectation.

The reality is that around 75 per cent of execs are witnessing unauthorised attacks on their public cloud assets – often from two sources. First the more unexpected source of employees using slack DevOp processes and secondly, as you would expect, from hacking.

The second will never go away, and is only going to get worse as bots take on the mantle. They are making a dent in revenue and skewing marketing analytics in about half of cases, and a third have seen the abuse of user payment accounts. To think that boards are now talking about bots in boardroom meetings is quite something. CEOs wouldn’t have known what they were three years ago. 

Targeting specific industries

But talk about bots they must. Bad bots are growing in use and contribute to over 22 per cent of bot traffic across the globe compared to 18 per cent of good bot traffic. In comparison to 2018, the evidence suggests that hackers are now turning to bots more readily, creating networks if necessary, to cause disruption to commerce, commit fraud and steal personal data.

And there are certain sectors that are being specifically targeted by bad bots with a quarter of bad bot traffic witnessed in e-commerce compared to 12 per cent good. They are also becoming prolific in online market places and classifieds, media and publishing, and real estate.

Looking at the sectors in more detail, there are a variety of reasons why these sectors are a target. Media and publishing sites are targeted with the aim of disrupting home page performance in particular with a view to performing ad fraud – bad bot traffic accounts for a third of traffic on the home page, followed by bad bots interfering with articles (25 per cent) and news (25 per cent) and reviews (15 per cent). Whereas in real-estate it’s aggregators and competitors who are using underhand tactics to scrape listings, with 15 per cent of traffic on display pages being made up of bad bots.

In a similar way, online market places and classifieds are targeted to disrupt listings on product pages (26 per cent) and overcome login pages (19 per cent) to takeover user accounts and steal profile data.

In the world of e-commerce, it’s the ability to scrape product pages and pricing (34 per cent) and category pages (25 per cent) that most appeals to hackers.

Anticipating the types of bot you’ll encounter is also difficult. But broadly we can see that there are four types of bot attack, with a growth in new forms, including human-like ones which are more sophisticated than their predecessors simple and headless browser bots.

Simple and headless browser bad bots dominate used for their simplicity to use fewer IP addresses and make thousands of hits from each one. However, third and fourth generation bad bots comprising human-like bots and distributed bad bots are more common today and are capitalising on the ability to move through thousands of IP addresses to attack ‘low and slow’ and sneak past basic security.

With so many different tactics, and so many forms of attack emerging and joining the tried and tested DDoS-style attacks already in play, it’s no wonder then that the answer to fighting back will be a mixed bag of tricks. Every company will need to form their own strategy but certainly the avenue of machine learning and AI is one many are exploring. More budget is going into the technologies and there’s a move to use both in house and third party security solutions to defend the fort.

But it will always need skill. People are still at the heart of a good security strategy – those who can read the landscape, devise the strategy and deploy it. And most especially those who can keep the drum banging at the boardroom table.

Eric Bueno, regional director for Northern Europe, UK and Ireland, Radware

Eric Bueno is Radware's Regional Director for the Northern Europe region, responsible for UK & Ireland, Sweden, Denmark, Finland and Norway. Eric has more than 20 years of experience in management, sales and marketing in the IT industry working for large corporations such as Sun Microsystems, Microsoft and Check Point Software Technologies.