Story image

Data security: the new frontier of app protection

31 Jul 2018

With European General Data Protection Regulation  coming into effect recently, many organisations are fearful of becoming the first to experience a data breach and be burdened with the heavy costs for non-compliance under the much stricter regulations. As more personal data is stored and processed in apps, the app is becoming a prime target for cybercriminals, and therefore a weak point for GDPR compliance.

Given that 93% of web application attacks are attributed to organised crime and 77% of these are botnet-related, in a post-GDPR world, businesses need to make apps a central part of their security strategy to avoid data breaches and the monetary and reputational damages they cause to an organisation. Properly securing apps can help reduce the fear businesses are experiencing over not maintaining compliance.

The new regulation provides EU citizens with more protection over their personal data and how it is used by businesses. The nature of the legislation means that it will affect businesses that not only sell to the EU, but also those who hold the personal data of EU citizens, have an establishment in the EU, or monitor the behaviour of EU citizens. This means that businesses need to ensure that their data is adequately protected now or they could be liable to GDPR fines.

Complying with the 72-hour notification of breaches rule

GDPR requires businesses to step up and ensure secure data storage and optimal reporting mechanisms for data breaches.

The 72-hour notification of breaches rule under GDPR, means that businesses need to have a strong security strategy in place in order to be able to identify breaches fast and disclose them within this strict time frame. Ensuring that businesses have visibility of encrypted app traffic leaving the business is crucial in order to guarantee compliance with this rule. As businesses are still bound by GDPR if they interact with EU citizens, securing personal data is necessary in order to avoid the heavy costs of non-compliance.

Apps are a key target for cybercriminals

F5 labs research has found that apps are the initial target for 53% of data breach attempts, making them the biggest target for cyber-security attacks. Even more worrying, experiencing cyber-attacks on apps isn’t enough to change a business’ security strategy, with 46% of IT professionals admitting that they rarely make changes to their security strategy, even after a breach has occurred.

In a post-GDPR world, organisations need to wake up to the threat that cyber-attacks can pose to their operations and develop strategies built around ensuring app security. As the recent example of the MyFitnessPal app which was hacked and resulted in the personal data of 150 million users being compromised demonstrates, app security is essential for all businesses to avoid compromising the personal data of users.

Where should companies start?

Due to the fact that apps are such a crucial component of any businesses’ security strategy, businesses need to start taking a security first approach to begin effectively securing their apps.

As apps are increasingly being adopted and used by both consumers and businesses, malicious access attempts to break through authorisation and authentication log-ins are inevitable. Implementing a centralised access gateway is a step that organisations can take to manage and secure authentication. Incorporating multi-factor identification into a business’ security strategy is another useful way to protect personal data that is collected by apps.

With a two-fold rise in DDoS attacks during the first quarter of 2018, establishing effective security against these types of attacks can go a long way in securing personal data. Implementing a Web Application Firewall (WAF) not only allows behavioural analysis to be performed to determine legitimate users from malware, but it can also detect and stop DDoS attacks on apps before personal data is compromised.

Threat modelling, vulnerability scanning and risk modelling

There are some key solutions that are crucial in assisting businesses with maintaining app security. Threat modelling allows businesses to determine the likelihood of cyber threats, the motivation of cyber attackers, and build a comprehensive list of the all the possible ways apps could potentially be breached.

Then, vulnerability scanning can pinpoint where apps are most exposed to threats and allow for a risk model to be developed to prioritise which areas of risk to focus most resources on. This makes the procedure of securing apps more efficient for organisations.

Focus on app security

Businesses need to think about the data regulation landscape that GDPR places businesses in. By taking immediate steps to identify where they are vulnerable to threats and establishing visibility of cyber-attack attempts, businesses can help ensure that their apps are solidly protected to avoid exposing personal data. Making app security an essential part of security strategies can help protect against the threat of GDPR non-compliance.

Article by F5 Labs principal threat research evangelist David Holmes.

Ping Identity offerings accelerates cloud MFA and SSO adoption
90% of respondents trust MFA as an effective security control to protect identity data in public clouds, yet only 60% of organisations have formally adopted it.
Trend Micro introduces cloud and container workload security offering
Container security capabilities added to Trend Micro Deep Security have elevated protection across the DevOps lifecycle and runtime stack.
Veeam joins the ranks of $1bil-revenue software companies
It’s also marked a milestone of 350,000 customers and outlined how it will begin the next stage of its growth.
Veeam enables secondary storage solutions with technology partner program
Veeam has worked with its strategic technology alliance partners to provide flexible deployment options for customers that have continually led to tighter levels of integration.
Veeam Availability Orchestrator update aims to democratise DR
The ability to automatically test, document and reliably recover entire sites, as well as individual workloads from backups in a completely orchestrated way lowers the total cost of ownership (TCO) of DR.
Nuix eyes legal sector as eDiscovery demand skyrockets
eDiscovery must encompass so much more than email and documents. If you haven’t looked at text messages and online chats, digital images, mobile devices, data in the cloud and social media, you’re not getting the whole story.
EXCLUSIVE: Forcepoint global channel chief talks strategy
As a solution sold 100% via the channel, cybersecurity solutions company Forcepoint places a strong emphasis on its partner relationships.
Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."