Security Statistics around the world to Surprise you.

Business is all about analytics. Information security is major concern these days. Industry statistics such as those compiled by Gartner , computer world project provide valuable insight into the types of vulnerabilities discovered in open source and commercial applications,

What one says is just an opinion if not backed by concrete data. Isn’t it the same with web application security too? Every security professional needs some substantial figures behind the belief that application security  is going to be the most crucial vector for public-facing websites. Here are some key statistics that your company should not be missing.

 

Data Breaches

1. 30,000 websites are hacked daily, which means that around 10 million sites are hacked in a year.
2. 32,323 public Indian website were hacked in 2014 with 14% Y-o-Y increase.
3. 155 .GOV and .NIC domains were hacked last year.
4. 1,000,000,000 (a billion) personal records were stolen globally last year.
5. Around 75% of the data breaches happen at the application layer.
6. According to CIOs, financial loss, reputations damage, and disruption of the business are key damages that they faced immediately after the breach.
7. Illicit financial gains is the motive behind 58% of the cyber-attacks.
8. Sensitive data is also allures hackers. Major Indian song portals and taxi-for-hire websites were hacked for credit card and user information.
9. Last year, it was reported that 90% of mobile banking applications were vulnerable to attack.

Key takeaways: Unless companies operate their business in a vacuum, they cannot overlook the risk of hacking. This risk is real and getting graver with more money being pumped into the online economy. Information Technology research giant Gartner has already predicted that increasing adoption of cloud and mobile will drive security market, which is estimated to $76.9 billion by this year and $170 billion by 2020.

Phishing

10. 156 million phishing emails are sent every day. The figure crosses 56 billion in a year.
11. 16 million emails manage to pass the spam filters successfully every day.
12. Around 800, 000 links in these spam emails are clicked on a daily basis.
13. Phishing causes companies an estimated loss of $28.1 billion.
14. There is an acute lack of awareness on phishing attacks in employees across the world. Such attack are even more dangerous when employees are using their official user rights in the network.
15. Advanced phishing attacks also use social engineering to extract user information through social networking.
16. One phishing attack is carried out every minute.
17. Is it easy to identify phishing mails? Survey shows that 97% internet population cannot differentiate a sophisticated phishing mail.

Key takeaways: Modern phishing is not just a risk for customers and users but also businesses at large. Phishing is increasingly being used to launch sophisticated Cross-Site Scripting attacks to steal sensitive information.

 

Attack Surface & Methods

When looking at the number of breaches per asset category, servers have typically been on top – that is where the data is stored – but user devices have been growing over time.²

1. Mobile devices (smartphones and tablets) are perceived as IT security’s weakest link, closely followed by social media applications.¹
2. The majority of users (58%) operate 3-4 devices on a daily basis.⁷
   59% of respondents experienced an increase in mobile threats over the past year.¹
   66% of sensitive data is stored upon on-site servers.⁸
3. 89% of US healthcare make patient data available to patients, surrogates and/or designated others.⁵
4. 43% of US healthcare share data with patients via a health website or web portal.⁵
5. 92% of IS professionals believe APTs represent a credible threat to national security and economic stability.⁶
6. 92% of IS professionals believe that social network use increases likelihood of a successful APT attack.⁶
7. 88% on IS professionals think that BYOD combined with rooting or jailbreaking makes a successful APT attack more likely.⁶
8. More than 1 in 4 IS professionals believe the highest risk from APTs is loss of personal information of employee or customer.⁶
9. 63% of users admit to forgetting a password, or had a password compromised, in their professional life.⁷
10. 92% of 100,000 analyzed incidents can be categorized by just 9 basic patterns.²
    Countries in the Arabian region and Germany had more data breaches caused by malicious or criminal attacks.¹⁰
11. India had the most data breaches caused by a system glitch or business process failure.¹⁰

 

OWASP Top 10

18. SQL Injection was discovered 15 years ago but it is still the most dangerous vulnerability. It even tops the OWASP Top 10 list.
19. Around 97% of all the data breaches across the world happen due to SQL Injection.
20. Cross Site Scripting, on the other hand, is the easiest way to compromise sites.
21. 91% of the websites detected with ‘Critical’ vulnerabilities tested by Indusface Web Application Scanning had SQL Injection vulnerability.

Key takeaways: OWASP vulnerability detection and protection is the first step towards securing web and mobile applications. It is unfortunate that even some of the major online brand names overlook app security and compliance.

Malware

22. Malware exist in computers of around 40% of the computer users.
23. There are more than 400, 000, 000 types of malware today.
24. 80, 000, 000 types of malware have been identified recently.
25. Malware is the top reasons behind sites getting blacklisted by search engines and site index portals.
26. 97% of all types of mobile malware affects Android devices solely.

Key takeaways: Malware like virus, worms, adware, and Trojan horses affects web and mobile applications at large. Data breach, blacklisting, DDoS, and loss of business reputation are some of the severe risks that companies face if malware is not prevented. Regular scanning for malware detection is critical.

Distributed Denial of Services

27. DDoS attacks cost banks up to $100, 000 per hour.
28. 20% of such attacks last for days and even months.
29. A lot of attackers also use DDoS as a diversion for other kinds of application attacks.
30. 87% of the attacked companies were hit more than once.
31. Attacks within bandwidth of 1-5 GB have increased by 150%.
32. Competitors launch DDoS attacks to disrupt business on high sale volume days.
33. Companies need around 10 employees to mitigate DDoS.
34. It is impossible to detect and prevent all types of DDoS attacks unless traffic to the application is monitored continuously.
35. The estimated cost of successful DDoS attack for a company is anywhere between $5,000 and $19,999 an hour.

Key takeaways: With intrusion prevention systems and network firewalls failing to detect application distributed denial of services, companies should look into 24 × 7 DDoS monitoring and mitigation solutions like manage web application firewall.

Corporate Espionage, Activists, Hacking activities & Nation States

1. Compromises attributed to competitors were highest in Asia Pacific.
2. Almost half (47%) of respondents from China point to competitors as the source of security incidents, higher than any other nation.
3. Automotive firms saw an 84% increase in security incidents from activists / Hacking activities
   Attacks by nation-states jumped 80% at technology companies, explaining increase in IP theft perhaps.

 

Policies & Procedures

One in three companies do not have a written information security policy (WISP).

1. 77% of organizations have a password policy or standard.
2. 59% of organizations have a user (privileged) access policy.
3. 46% of organizations have an incidents response policy.
4. 34% of companies do not have a crisis response plan for a data breach or cyber-attack event.
5. 49% of companies do not perform periodic “fire drills” to test IT Security event response plans.
6. 54% of US healthcare provider IT & IS professionals have tested their data breach response plan.
7. 1 in 3 organizations do not or do not know if third-party data access contracts / policies are in place.
8. 77% of IS professionals have not updated agreements with third parties for protection against APTs.=
9. Less than 40% of organizations conduct full-network active vulnerability scans more than once per quarter.
10. Only 20% of IT security professionals are confident their organizations have made adequate investments in educating users on how to avoid phishing attacks.

 

Research Sources:

• Indusface research, reports, whitepapers, and case studies
• Forbes
• The Dark Reading
• KPMG
• Government of Canada