Cybercrime is no longer monopolized by elite criminals and no longer consigned to the dark web alone. Recent investigations indicate that hackers have become much braver and are now operating in the open, using popular apps to conduct illegal dealings.
Criminals are now using consumer applications and social media platforms to trade valuable personally identifiable data (PII) such as stolen payment card details.
Data is being stored in an ever-shifting array of locations, creating more opportunities for the cybercrime ‘industry’. The exploding web application universe offers multiple new and vulnerable attack vectors that can act as a direct gateway to enterprise data.
Businesses have a duty to review their web application landscape and ensure the data passing over these systems is secure. One system backdoor or poorly coded component could lead to a major, organization-wide breach – so it’s worth making the effort to get it right.
Why attack a web application?
Attackers keep looking for novel ways to extract information and send commands. By operating ‘in the open’, the traffic generated can be made to appear less suspicious and less likely to be blocked.
To minimize the chance of data being stolen more co-operation is required between popular application platforms and security professionals, as well as an increase in consumer awareness. Underpinning all that is a need for better data-centric security – ensuring that personally identifiable information is secured wherever it moves.
As soon as you input data into a web application, its security and its use are now out of your control. It becomes a question of privacy and trust - do the owners of the application really just keep your data for a certain amount of time?
For consumers, if you wouldn’t want the World to know it, don’t put it online, and for businesses, investing in data-centric cybersecurity is a must.
The human factor
More often than not, however, breaches are a result of data owners themselves making a mistake. We expect that the organizations with which we share our data are doing what their best to protect it, but in reality there is often far less scrutiny in place than expected.
Unfortunately, most companies still can’t answer basic questions on where sensitive data is stored, who uses it and what was lost if there’s a breach. There needs to be an increased focus on data monitoring and depth of insight.
Too many organizations collect private data, yet don’t treat it like the important asset it is to you. Data importance is relative and while regulatory compliance helps to build importance on private consumer data, most agree it doesn’t go far enough.
The privacy question
At the heart of this debate is the question of privacy. More and more, the speed of business requires technical connections between companies. Data must be shared between these entities and so must the varying security practices of each partner, creating risk within the ecosystem.
For companies that store personal data, there is a hefty burden of responsibility. Once private data’s been stolen, it’s gone. The people you trusted to store your data are responsible for it. Therefore, companies in that position must ensure they protect the personal data they hold.
Ways forward
Private data is a living asset within a company, growing to support the business over time. Data crosses functional corporate boundaries, possibly starting in shipping, then marketing, then customer success, each with their own processes for privacy. The more touching hands, the more risk.
The front end to data, web applications, are typically protected via web application firewall technology. This technology comes has been available to companies for more than two decades. There is little excuse today for companies who fall victim to web application exploits.
On the back side of web applications, lives the data itself. Companies require the use of automation to support their teams protecting it. There are very few experts in the field of data security, so companies leverage machine learning and artificial intelligence in lieu of humans to identify bad behavior within the massive volumes of utilized corporate data.
Many companies have grown beyond their ability to rapidly protect all data. This leads them to prioritize those systems that are most impactful to their business to protect first. This is somewhat admirable, but leaves other systems exposed. The data left unprotected, while not impactful to the business, may be very impactful to you.
This is the World we live in today and while its changing slowly, my recommendation stays the same. Limit how much you expose yourself and your family’s data to the World. There are somethings you simply can’t avoid, but there are many more places where it is not worth the risk to share your data.