A proliferation of bot-driven web traffic is having a significant impact on organizations' application security—even as nearly half (45%) of them have experienced a data breach in the last year.
According to a Ponemon Institute survey of 600 CISOs and other security leaders across retail, healthcare, and financial services in six continents, bots conduct more than half (52%) of all internet traffic flow. For some organizations, bots represent more than 75% of their total traffic. This is a significant finding considering one-in-three (33%) organizations cannot distinguish between ‘good' bots and ‘bad' ones.
The report also found that 68% are not confident they can keep corporate information safe, and that they often leave sensitive data under-protected. Poor practices abound: Some 60% of organizations both share and consume data via APIs for instance—including personally identifiable information, usernames/passwords, payment details, medical records, etc. Yet, 52% don't inspect the data that is being transferred back and forth via their APIs, and 51% don't perform any security audits or analyze API vulnerabilities prior to integration.
This affects some verticals more than others: While 72% of financial services organizations share usernames and passwords and 58% share payment details via APIs, 51% do not encrypt that traffic, potentially exposing valuable customer data in transit.
"It's alarming that executives at organizations with sensitive data from millions of consumers collectively don't feel confident in their security," said Carl Herberger, vice president of security solutions at Radware, which sponsored the report. "They know the risks, but blind spots continue to pose a threat. Until companies get a handle on where their vulnerabilities are and take steps to protect them, major attacks and data breaches will continue to make headlines."
Application security is a particular concern: Half (49%) of the respondents currently use continuous delivery for application services, and another 21% plan to adopt it within the next 12-24 months. However, continuous delivery can compound the security challenges of app development: 62% reckon it increases the attack surface and approximately half say that they do not integrate security into their continuous delivery process.
The report also found vertical-specific issues. For instance, bots are the backbone of online retail today, being used for price aggregation sites, electronic couponing, chatbots in customer service and more. In fact, 41% of retailers reported that more than 75% of their traffic comes from bots. However, they often can’t identify bad-bot traffic, and attackers are taking advantage of this: Web scraping bot attacks plague retailers by stealing intellectual property, undercutting prices, holding mass inventory in limbo and buying out inventory to resell goods through unauthorized channels at markup.
Retailers also face two distinct but highly damaging threats during the holidays: Outages and data breaches. Web outages during the holiday season, when retailers make most of their profits, could have disastrous financial consequences. Yet more than half (53%) are not confident in their ability to provide 100% uptime of their application services. High-demand periods like Black Friday and Cyber Monday also spell trouble for customer data: 30% of retailers suggest they lack the ability to secure sensitive data during these periods.
Healthcare has a similar bot problem: 42% of traffic is from bots in this segment, but only 20% of IT security execs were certain they could identify the "bad" ones. And, the report found that patient healthcare data is at risk. Just 27% of healthcare respondents have confidence they could safeguard patients' medical records, even though nearly 80% are required to comply with government regulations. Patching systems is critical to an organization's security and its ability to mitigate today's leading threats, but some 62% of healthcare respondents have little or no confidence in their organization's ability to rapidly adopt security patches and updates without compromising operations.
Further, more than half (55%) of healthcare organizations said they had no way to track data shared with a third party after it left the corporate network. Healthcare organizations are particularly unlikely to monitor the Dark Web for stolen data, with 37% saying they did so, compared to 56% in financial services, and 48% in retail.