Verizon recently released its Data Breach Investigation Report (DBIR) for 2016. The DBIR is based on real-world investigations and reports of over 100,000 security incidents. It examines trends across different industry verticals such as finance, retail, information technology and others.
One of the most startling findings in this year's report is the disproportionate number of web application attacks that result in a data breach. Although attacks on web applications account for only 8 percent of overall reported incidents (whether they were successful or not), attacks on web applications accounted for over 40 percent of incidents resulting in a data breach, and were the single-biggest source of data loss.
The report also revealed that the volume of data breaches caused by web application attacks is rapidly rising: the percentage of data breaches that leveraged web application attacks has increased rapidly in the last year – from only about 7 percent in 2015 to 40 percent. These findings are a clear indication that web applications in many organizations are not just exposed, but are disproportionately vulnerable compared to other points of attack.
The graph below shows the incidence rates of different attack methods that resulted in a loss of data. The gray bars indicate the corresponding figure from the DBIR report for 2015. The graph clearly illustrates that web application attacks accounted for the greatest percentage of attacks that resulted in breaches, an increase of almost fivefold from 2015:
With these findings in mind, the DBIR recommends that businesses implement a number of security measures such as multi-factor authentication to prevent unauthorized access to web applications, anti-malware security measures, extensive validation of web application user inputs and suggests establishing a patching process for their content management systems (CMS) and third-party plugins.
Following through on these recommendations, there are a number of measures for organizations to think about when considering how to best protect themselves from a data breach:
Verizon Digital Media Services understands your website's complex security needs to protect against this plethora of online threats. This is why we have an enterprise-grade, cloud-based WAF with powerful features, such as highly customizable policy controls, extensive rule sets with over 16,000 rules protecting you against hundreds of vulnerabilities, built-in IP reputation database, virtual patching for common CMS software, and integration with Verizon's other security layers, e.g., DDoS, DNS and TLS/SSL protection.
Contact us today to learn more about how our integrated, multi-layer security solution can help you secure your mission critical data.
Vikas Phonsa, Senior Product Manager – Security Solutions
Eyal Arazi, Product Marketing Manager – Security