With European General Data Protection Regulation coming into effect recently, many organisations are fearful of becoming the first to experience a data breach and be burdened with the heavy costs for non-compliance under the much stricter regulations. As more personal data is stored and processed in apps, the app is becoming a prime target for cybercriminals, and therefore a weak point for GDPR compliance.
Given that 93% of web application attacks are attributed to organised crime and 77% of these are botnet-related, in a post-GDPR world, businesses need to make apps a central part of their security strategy to avoid data breaches and the monetary and reputational damages they cause to an organisation. Properly securing apps can help reduce the fear businesses are experiencing over not maintaining compliance.
The new regulation provides EU citizens with more protection over their personal data and how it is used by businesses. The nature of the legislation means that it will affect businesses that not only sell to the EU, but also those who hold the personal data of EU citizens, have an establishment in the EU, or monitor the behaviour of EU citizens. This means that businesses need to ensure that their data is adequately protected now or they could be liable to GDPR fines.
Complying with the 72-hour notification of breaches rule
GDPR requires businesses to step up and ensure secure data storage and optimal reporting mechanisms for data breaches.
The 72-hour notification of breaches rule under GDPR, means that businesses need to have a strong security strategy in place in order to be able to identify breaches fast and disclose them within this strict time frame. Ensuring that businesses have visibility of encrypted app traffic leaving the business is crucial in order to guarantee compliance with this rule. As businesses are still bound by GDPR if they interact with EU citizens, securing personal data is necessary in order to avoid the heavy costs of non-compliance.
Apps are a key target for cybercriminals
F5 labs research has found that apps are the initial target for 53% of data breach attempts, making them the biggest target for cyber-security attacks. Even more worrying, experiencing cyber-attacks on apps isn’t enough to change a business’ security strategy, with 46% of IT professionals admitting that they rarely make changes to their security strategy, even after a breach has occurred.
In a post-GDPR world, organisations need to wake up to the threat that cyber-attacks can pose to their operations and develop strategies built around ensuring app security. As the recent example of the MyFitnessPal app which was hacked and resulted in the personal data of 150 million users being compromised demonstrates, app security is essential for all businesses to avoid compromising the personal data of users.
Where should companies start?
Due to the fact that apps are such a crucial component of any businesses’ security strategy, businesses need to start taking a security first approach to begin effectively securing their apps.
As apps are increasingly being adopted and used by both consumers and businesses, malicious access attempts to break through authorisation and authentication log-ins are inevitable. Implementing a centralised access gateway is a step that organisations can take to manage and secure authentication. Incorporating multi-factor identification into a business’ security strategy is another useful way to protect personal data that is collected by apps.
With a two-fold rise in DDoS attacks during the first quarter of 2018, establishing effective security against these types of attacks can go a long way in securing personal data. Implementing a Web Application Firewall (WAF) not only allows behavioural analysis to be performed to determine legitimate users from malware, but it can also detect and stop DDoS attacks on apps before personal data is compromised.
Threat modelling, vulnerability scanning and risk modelling
There are some key solutions that are crucial in assisting businesses with maintaining app security. Threat modelling allows businesses to determine the likelihood of cyber threats, the motivation of cyber attackers, and build a comprehensive list of the all the possible ways apps could potentially be breached.
Then, vulnerability scanning can pinpoint where apps are most exposed to threats and allow for a risk model to be developed to prioritise which areas of risk to focus most resources on. This makes the procedure of securing apps more efficient for organisations.
Focus on app security
Businesses need to think about the data regulation landscape that GDPR places businesses in. By taking immediate steps to identify where they are vulnerable to threats and establishing visibility of cyber-attack attempts, businesses can help ensure that their apps are solidly protected to avoid exposing personal data. Making app security an essential part of security strategies can help protect against the threat of GDPR non-compliance.
Article by F5 Labs principal threat research evangelist David Holmes.