Ensighten will be highlighting the importance of web security at the world’s biggest InfoSec event, RSA Conference 2019

In 2019, there’s not a department or function within an organization that isn’t shaped in some way by the need for cybersecurity. Barely a week passes when we don’t hear of another high-profile company or government agency that has fallen victim to cybercrime – whether it’s a ransomware attack, phishing campaign, cryptojacking, or any number of sophisticated new threats waiting to be unleashed on the enterprise and undermine its website security.

Companies are waking up to the long-term financial and reputational damage that a cyberattack can inflict. Conversations about website security can be heard throughout every aspect of the enterprise – including the boardroom where business leaders are giving the green light to greater IT security spending in line with the perceived risks associated with data loss. New research claims the $162 billion (£123 billion) spent on cybersecurity in 2018 will jump by an astounding $1,105 billion (£837 billion) during 2019, driven by adherence to GDPR and other data privacy regulations such as CCPA, which is due to come into action in January 2020.

Due to this heightened awareness around cybersecurity, the RSA Conference 2019 in San Francisco has never been more relevant to the modern enterprise. As the world’s biggest information security (InfoSec) event, it draws more than 50,000 attendees per year, providing a platform for both cybersecurity leaders and new industry voices, advocating for next generation technologies that can go toe-to-toe with today’s increasingly complex cybercrime threats.

Ensighten will be one of those voices at RSA Conference, showcasing the need for next generation website security for the enterprise. The last 12 months have seen several high-profile incidents where global organizations’ websites were targeted by cybercriminals, including The Make-a-Wish Foundation, Ticketmaster, ABS-CBN and Newegg.

Website security: Why is it so important?

Website breaches can be disastrous for any organization, and can even prove terminal if customers’ credit card, passport or other Personally Identifiable Information (PII) is stolen. Not only do they face public scrutiny and potentially huge fines imposed by the appropriate regulatory bodies, but they may take a bigger hit if confronted by unhappy investors, decreasing market value or desertion by customers who can no longer trust them to keep their personal information secure.

Despite this, our own research indicates that only 30 percent of enterprises are completely prepared in the event of a website breach. In many instances, organizations may not even by aware of the threat posed, as hackers use third-party vendors to gain entry to their websites. It is imperative to us that organizations understand the enormous risks they are taking with their business and their reputation if they aren’t taking every precaution to secure their website supply chain.

Ensighten at the RSA Conference 2019

At the RSA Conference we will be demonstrating our leading website security solution which protects businesses against malicious attacks and data loss.

Alongside this, we know that marketing security is also still slipping under some organizations’ radar. We will be talking to InfoSec professionals about why it is essential to stop criminals getting their hands on all the customer data that their businesses acquire for campaigns and other marketing projects. Further, we will be presenting our MarSec platform, which manages and controls both the enterprise and customers’ data on a website in real-time to prevent data leaks and loss of PII.

The theme of this year’s RSA Conference is ‘Better’. It implores everyone “from the C suite to those of us on the front lines” to do better when it comes to creating a better, more secure world. That’s exactly our goal with our next-generation website security solution.

As RSA explains: “We come here to experience better solutions, brainstorm better ideas, and remind ourselves that a better, safer world is ahead.” Ian Wooley, CRO, Ensighten.

The post Bringing Web Security to RSA Conference 2019 appeared first on Ensighten.

With formjacking incidents on the rise, is your website leaving your customers vulnerable to data theft?

2018 saw a sharp rise in incidents of web skimming and formjacking, a method used by cybercriminals to steal visitors’ credit card details and other personal information from the payment forms on the checkout pages of e-commerce websites.

Put simply, hackers inject malicious JavaScript code into e-commerce websites, often via a third-party vendor on the site, which in turn can harvest any personal or financial information supplied by visitors during the transaction process.

Research released by ZScaler’s Cloud Security Insights report, notes that “With the increase in JavaScript skimmer-based attacks, criminals can conduct their nefarious activity within the confines of the SSL environment, leaving most e-commerce sites unaware of the activity.”

Another study also published by Symantec; 2019 Internet Security Threat Report, shows that 4,818 unique websites were compromised via formjacking code every month in 2018. The appeal of formjacking for criminals is linked to the value of customers’ credit card information – data from a single credit card can be worth up to $45 (£34) on underground markets. Just 10 credit cards stolen from compromised websites could result in a yield of up to $2.2 million (£1.66 million) for cybercriminals each month.

Most wanted: What is Magecart?

At the forefront of these campaigns is a consortium of hackers called Magecart. In 2018 the group executed formjacking-based attacks on several high-profile victims including Ticketmaster, as well as retailers Newegg, Kitronik and VisionDirect.

RiskIQ, which has led the research into Magecart’s activities, says the group is placing digital credit card skimmers on compromised e-commerce sites “at an unprecedented rate and with frightening success.”

Indeed, in its 2018 Holiday Shopping Snapshot RiskIQ says it detected 6,929 unique Magecart incidents between Black Friday and New Year’s Day.

Why is formjacking so dangerous?

In a typical data breach, criminals break into company servers and access databases to steal confidential corporate and employee information that can include passwords, email addresses, phone numbers, and maybe even financial information and intellectual property. This is done by exploiting flaws in website security measures.

But, under the Payment Card Industry’s Data Security Standard (PCI DSS), merchants are prevented from storing full payment card information, such as personal CVV security code. What makes Magecart’s attacks so dangerous is that it doesn’t matter that a company hasn’t stored your credit card details. Its malicious script lurks on the client-facing side of a company’s website, waiting to skim off any personal information, like a CVV code, that’s entered by customers when they check out. This is also known as a data leak, as the hackers are stealing the information as it is inserted, rather than from the business’s servers.

Supply chain attacks

RiskIQ notes that the ‘The Global Attack Surface’ is growing every day. For example, modern websites are made up of many different elements—the underlying operating system, frameworks, third-party applications, plug-ins, trackers – all designed to deliver a user experience that people have come to expect, as well as reduce the time to market and derive maximum value from user interactions.

However, this commonality of approach is attractive to criminals as a successful exploit written for a vulnerability or exposure on one site can be reused across many sites, creating a threat to multiple website security measures.

In numerous cases, Magecart has targeted third-party website vendors used in the supply chain in order to inject its code onto websites. In the case of Ticketmaster, Magecart compromised a third-party chatbot, which loaded malicious code into the web browsers of visitors to Ticketmaster’s website, with the aim of harvesting customers’ payment data.

In addition, third-party vendors supply code integrates with thousands of websites, so when it’s compromised, the websites of all of the customers that use it are compromised, giving Magecart access to a wide range of victims at once.

Secure your website

This growing attack surface means that while cybersecurity solutions are often deployed on an organization’s networks or servers, its website is highly susceptible to attack. As a unique point of vulnerability for customers inputting credit card data at the source, it shouldn’t be overlooked.

Formjacking, or web skimming is on the rise, therefore it is crucial that you ensure your website is secure. As well as observing and monitoring site traffic and testing any new updates to detect any suspicious behaviour, a key part of website security and mitigating any threat from third-party vendors by creating a whitelist or blacklist that ensures you only share data with trusted vendors.

Don’t risk becoming the Magecart’s next victim. Speak to Ensighten about how our marketing security solution will enable you to manage all your third-party vendor technologies and prevent unauthorized data collection.

The post The rise…and rise of Magecart appeared first on Ensighten.

With all the hype around artificial intelligence (AI), should there be more focus on getting the fundamentals of security right first?

There’s no escaping the buzz around artificial intelligence (AI). Along with other emerging technologies such as machine learning (ML) and Robotic Process Automation (RPA), it is being touted as a game-changer for businesses.

AI is increasingly present in devices, applications and services throughout any organization with a digital offering. But nowhere has AI’s potential for disruption been more evident than in cybersecurity, with the technology quickly gaining traction within enterprise businesses – particularly around automated threat prevention, detection and response.

It is an increasingly popular option as it enables businesses to be more proactive in their defence strategies and detect more threats before they can do serious damage to their organization or their web security. One study published in January 2019 shows that 86 percent of businesses have explored Machine Learning and Artificial Intelligence solutions, with almost half (48 percent) pointing to quicker response times and better web security as their primary drivers.

Fighting fire with fire

Nevertheless, for every company leveraging AI cybersecurity within their website security strategy, you can be certain that criminals will be using that same technology to launch increasingly sophisticated attacks of their own.

Criminals can leverage AI to:

• Automate attacks and improve evasion capabilities against detection systems
• Increase the scale and reach of the threats
• Improve current digital attack tools to make them more harmful and difficult to detect
• Automatically breach defences and generate more sophisticated phishing attacks from information scraped from websites

According to a recent report by Riot Research, “an arms race will develop around Artificial Intelligence and Machine Learning as major cybercriminal gangs and rogue nation states adopt these to launch increasingly sophisticated cyberattacks, pushing spending on countermeasures.”

No magic bullet

CIOs questioned for Gartner’s 2019 CIO Agenda, predicted AI would be the most disruptive technology for their businesses. Thirty-seven percent responded that they have already deployed AI technology or that deployment was in short-term planning. In terms of implementation, AI came in second place – behind cybersecurity.

What we can take from this is that there is great potential for the application of Artificial Intelligence security and other disruptive technologies within the realm of cybersecurity. But it is important to remember that these technologies don’t work in isolation, and they are not a ‘magic bullet’ for your cybersecurity needs.

Multi-layered approach to website and data security

Next-generation technologies such as AI should be implemented in tandem with other website security solutions, because, while cyberattacks today are increasingly complex and targeted, it is still important organizations don’t overlook some of the most common attack vectors.

This includes website security, which offers unique points of vulnerability for organizations. For example, hackers using formjacking or digital payment card skimming to steal customers’ credit card details rose sharply in 2018. Elsewhere, cryptojacking – where criminals use browser-based JavaScript code to mine for cryptocurrencies whenever a user visits the website – affected ten times more organizations last year than ransomware.

Many of these attacks on websites take advantage of third-party technologies which run on the sites, providing a backdoor, through which criminals can access your customers’ personal and payment data. Even with this in mind, 67 percent of organizations are yet to implement marketing security for their website, putting both their customers and the future of their business at risk.

With the many advances being made with new disruptive technologies like AI it is important to invest in getting the fundamentals right, which means including marketing security as part of your holistic approach to cyber defense. Get in contact to learn more.

The post What Will Artificial Intelligence, Machine Learning and Other Emerging Technologies Mean for Cybersecurity? appeared first on Ensighten.

Why the long-term effects of a data breach on your business can be catastrophic

Billions of personal records are lost or stolen every year, either through cyberattack or simple data mismanagement. In 2018 some of the biggest names in government, technology, healthcare, travel and hospitality suffered data losses.

At the same time, data privacy has never been more important; companies are now subject to intense scrutiny from regulators as to how they handle, store and secure their customers’ personally identifiable information (PII) and data.

The most recent Cost of a Data Breach Study by The Ponemon Institute shows that the cost of a data breach is snowballing, with more records being lost or stolen every year. Here are the stats:

• Average total cost of a data breach: $3.86 million
• Average total one-year cost increase: 6.4 percent
• Average cost per lost or stolen record: $148
• One-year increase in per capita cost: 4.8 percent
• Likelihood of a recurring material breach over the next two years: 27.9 percent
• Average cost savings with an Incident Response team: $14 per record

How can you work out the cost of a data breach?

The cost of a data breach covers detection, escalation, notification, and any activities an organization must undertake following an incident, including working to repair their reputation. Here are the most common outlays following a breach.

1. Detection and escalation of a data breach

This is the cost occurred at ground zero – as soon as a breach is detected. Once an organization detects a breach or loss of data, they must report it within a specified time-frame.

For this they may need to implement forensic and investigative activities, assessment and audit services, crisis-team management, as well as communicating the problem to management and the board of directors.

The problem is that data loss can remain undetected for months after the original attack. The Ponemon study shows that the average time taken to identify a breach was 197 days in 2018, and the average time to contain it was 69 days.

However, it can take much longer to locate a data leak – last month it came to light that 42,000 patients in Florida had their personal and health information exposed in a breach that lasted 16 months.

2. Post data breach response

These are the costs associated with communicating with individuals affected by the data leak, as well as costs associated with reparation with customers and regulators.

For example, any help desk activities or inbound communications, credit report monitoring and identity protection services, as well as issuing new accounts or credit cards, legal expenses and regulatory fines. (This can come in the form of subsequent legal action – see the Wendy’s data breach, below.)

3. Notification costs

Post-breach, organizations must notify the individuals who had their data compromised via email, letters, outbound telephone calls, or by general notice. They also need to as communicate with regulators and perhaps engage outside experts.

It is vital that organizations get this right. Under GDPR, organizations have 72 hours to disclose any data breaches to the relevant authorities, as well as the victim of the breach. The penalty for failing to notify them is €10 million, or two percent of revenues.

In addition to these initial expenses, some of the most dramatic long-term ramifications of a data breach or data leak occur in the weeks, months and even years following an incident.

Lost business following a data leak

Initial costs of lost business might include business disruption and system downtime. However, data breaches will also result in the long-term loss of customers, reputation and goodwill. Forty-one percent of British consumers and 21 percent of US consumers said they will stop spending with a business or brand forever following a data security breach. This type of reputation damage can be difficult to repair.

Ponemon says that organizations that lost less than one percent of their customers due to a data breach saw an average loss of $2.8 million in 2018. If four percent or more was lost, the average lost was $6 million, a difference of $3.2 million.

Legal action

Data loss also means organizations leave themselves open to legal action. Wendy’s recently settled a $50 million lawsuit after cybercriminals targeted 1,025 of its point-of-sale systems with malware, leading to the loss of massive quantities of payment card data. After a consumer class-action lawsuit which it settled for $3.4 million, Wendy’s agreed to pay out $50 million to compensate affected card issuers for breach-related losses and expenses, such as the cost of reissuing cards and compensating cardholders for fraud losses.

Regulatory penalties following data breaches

Under GDPR, organizations can be fined up to four percent of annual global turnover or €20 million, whichever is greater, if they fail to comply with the regulation.

In the US there are also efforts to introduce data privacy regulations at state level – with the likes of the California Consumer Privacy Act (CCPA) – and at federal level with the US Senate examining how lawmakers can protect consumer privacy.

Brand damage

In real terms, a company can literally lose its value following a data breach. A multi-year study by Comparitech published in 2018 shows that data breaches have an impact on a company’s share price. The study’s authors said that the impact of data breaches “likely diminished over time, but the damage was still visible in the stock’s NASDAQ performance indicator even after three years, in some cases”. The following impacts were recorded.

• Share prices of breached companies hit a low point approximately 14 market days following a breach
• Finance and payment companies saw the largest drop in share price performance following a breach
• Breaches that leak highly sensitive information like credit card information and social security numbers see larger drops in share price performance on average than companies that leak less sensitive info

Third party problem in data breaches

A reported 59 percent of companies say they have experienced a data breach caused by one of their vendors or third parties. More worryingly, many of these types of breaches go undetected: 22 percent of respondents to a late 2018 survey by Opus and Ponemon admitted they didn’t know if they’d had a third-party data breach in the past 12 months.

Furthermore, only 37 percent indicate they have sufficient resources to manage third-party relationships and only 35 percent rate their third-party risk management program as highly effective.

Considering the wide ecosystem of third party vendors in today’s modern IT environment – particularly those with access to vital business resources like the company website – organizations must have a complete view of which third parties have access to what sensitive data, and how they are using it. Having a formal monitoring and tracking process in place for third parties will protect against potential data leakage and help defend your organization from a costly data breach incident.

How to guard against data breaches

The fact is that no organization that suffers a data breach will escape without either serious long-term financial or reputational damage.

It is therefore impossible to overestimate the importance of securing data, be it corporate or personal, for which you are liable – the potential short and long-term damage you can suffer otherwise is almost incalculable.

Importantly, there is a direct correlation between how quickly an organization can identify and contain data breach incidents and the severity of the financial consequences – companies that contained a breach in less than 30 days saved more than $1 million versus those that took longer.

When it comes to data leaks, prevention is better than a cure; investing in a comprehensive data privacy solution now could save your company millions in lost business and regulatory penalties. Speak to Ensighten about how to gain an insight to your data, any third party vulnerabilities or potential breaches to ensure you maintain regulatory compliance and keep your business up and running.

The post Data Leaks: The Real Cost to Your Business appeared first on Ensighten.

Why marketing security is your first line of defense against data leaks

Your website is one of your business’ most valuable assets. It not only provides a powerful tool for engagement with customers – and potential customers – it is a powerful marketing platform and a source of data into user behavior, preferences and Personally Identifiable Information (PII).

For a marketer, the more data you can gather on visitors to your website, the better you can craft campaigns and target individuals. Moreover, you may be entrusted with sensitive customer data such as names, addresses, credit card details, passwords and other personal information.

The massive threat of data loss

With the volume and value of customer data under the spotlight, the risk of data loss and data leaks looms large. Unfortunately, in 2019 all enterprises that collect data online are still vulnerable to cyberattack. The threat is now so prevalent that in its Global Risks Report, the World Economic Forum (WEF) recently put large scale cyberattacks as the fifth biggest threat facing our world today, ranking only three places down from climate change.

In addition, 82 percent of companies that the WEF questioned believe the risk of cyber-attacks leading to data theft and data leakage will increase in 2019.

Elsewhere, the 2019 Thales Data Threat Report – Global Edition says 60 percent of organizations globally have already experienced a data breach at some point in their history, with 30 percent experiencing a breach within the past year alone. The US had the highest number of data breaches of all breaches globally in the last three years (65 percent) as well as in the last year (36 percent).

What are the threats to your website?

While much of the current talk around the importance of cybersecurity focuses on securing the company network, some of the biggest breaches in recent years have occurred after an organization’s website was compromised, leading to valuable data being stolen. This is due, in part, to websites – and website security – falling under the remit of the marketing department as opposed to the IT team and website secuirty not being something marketing departments are tasked with solving. This is an oversight that cyber criminals can readily exploit.

It is vital that all businesses are aware of the vulnerabilities across their marketing platforms and can prevent or mitigate risk effectively.

Formjacking (Magecart’s MO)

We’ve all heard how criminals can use a device to ‘skim’ your credit card details from an ATM; formjacking is a web-based equivalent of this. Also called digital payment card skimming (DPCS), hackers inject malicious code onto a website – often through a third-party technology – and harvest customers’ financial information when they make an online purchase.

At the heart of these attacks is a consortium of hackers called Magecart, which in 2018 executed numerous high-profile attacks on the likes of Ticketmaster, along with retailers Newegg, Kitronik and VisionDirect.

An average of almost 5,000 websites per month fell victim to a formjacking attack during 2018, according to the 2019 Symantec Internet Security Threat Report.

Cryptojacking

The most common type of cyberattack in 2018; cryptojacking sees hackers inject browser-based cryptomining code into a website to illegally mine for cryptocurrencies. This is causing significant problems for any business, as cryptojacking impacts website availability and performance, which can lead to a loss of customer conversion and revenue.

Both formjacking and cryptojacking follows a trend of web-based hacking, meaning the user no longer needs to download malicious software to be impacted by it.

Third-party entry system

Access to websites often happens via a third-party vendor or supplier – Ponemon research shows 59 percent of companies have experienced a data breach caused by one of their third parties. In the case of Ticketmaster, Magecart exploited a chatbot from a third-party customer support company, via an injection of malicious JavaScript.

For a marketer, third-party tags or code like social media buttons, ad trackers and chatbots are useful for improving and tracking the customer experience, but they can also throw a wide door open to cyberattacks and data leaks.

Fallout of a data breach

At the same time, regulatory pressure and financial penalties are increasing for data loss. The post data-breach fallout may also include business disruption, class-action lawsuits, executive firings, reputational damage and diminished market value of the organization.

However, compliance rates for Payment Card Industry Data Security Standard (PCI DSS) – the standard for organizations that handle branded credit cards – are falling. Verizon’s 2018 Payment Security Report reveals that almost half of organizations assessed were not fully compliant, and that the average number of controls failed rose to the highest level seen since 2012.

What can I do to secure my website from hackers and data leaks?

Forty-one percent of enterprises have already experienced a marketing security incident. To prevent this happening to your organization, it is essential to ensure that your website, and any sites it interacts with to process transactions (such as secondary payment processors), are protected from a potential injection of malicious JavaScript.

Ensighten’s website security solution (MarSec) offers real-time control of business and customer data on your website or web properties and apps, to prevent leakages of data and PII. It enables your company to cut through the confusion of third-party suppliers and gain insight into who has access to what customer data. MarSec also ensures that data stays private, secure and that governance is enforced, preventing exposure and risk.

Website Security offers:

Data leak prevention: Inspects the onward content contained within JavaScript requests

Third-party technology control: Whitelist only approved vendors to operate, as well as help manage and update policies in real time

Data Masking and redaction: Mask or redact sensitive data strings

Client-side security control: Extends protection beyond the company network to potential vulnerable areas that can be overlooked

With a real-time website security strategy and enforcement tools, enterprises can prevent data leakage and unauthorized access to customer data via malicious JavaScript injection, formjacking and other client-side attacks. This ensures every aspect of your business is secure, providing you with complete peace of mind and protection for your organization.

The post What Is Marketing Security? appeared first on Ensighten.