Hyper connectivity, regulatory pressures, and heightened customer expectations are all having a significant impact on how companies operate. From financial services to retail stores, applications are now central to a rapidly evolving digital landscape. Despite this, companies continue to make dangerous security compromises and F5’s recent 2018 State of Application Delivery (SOAD) report revealed that 36% plan to protect less than a quarter of applications. This mindset needs to change.
App security plays a vital part of reputation management today. In fact, the EU General Data Protection Regulations (GDPR) has changed the data protection and usage game, empowering citizens to take ownership of their credentials and forcing businesses to operate with greater digital responsibility. Organisations must seize the opportunity to achieve greater efficiencies and drastically reduce risk to sensitive data.
Companies now need to deliver applications services with greater speed, adaptive functionality, and robust security. Here are my three tips to enhance application security.
- Embrace modern authentication techniques
Applications that drive business services will increasingly harness the cloud and sit at the heart of complex ecosystems. Therefore, companies must ensure they design, develop, and deploy applications with greater rigour to thoroughly authenticate users.
Where passwords and tokens were once the foundation of identity and access management, multi-factor authentication, standards-based solutions, biometrics and smartphone-based authentications are more robust alternatives today. Companies that have not adopted advanced methods should seriously consider migrating from legacy tolls to multi-factor solutions, which are specifically designed to meet the needs of the transitory workforce and safeguard user access to vital applications.
Weaponised botnets, such as Mirai and Reaper, are likely to grow, with Symantec recently revealing botnet operators are actually fighting over the same pool of devices, identifying and removing malware belonging to other botnets. Now is the time for businesses to look beyond logins and passwords and embrace cutting-edge techniques and integrated solutions that are both simple to use and can bolster security.
- Automate where necessary
Hackers have access to highly sophisticated tools thanks to NSA technologies leaked into the public domain. However, according toVerizon’s 2017 Data Breach Investigations Report, 88% of breaches fall into the nine patterns first identified in 2014, meaning that while attackers are using new tactics and tricks, their overall strategies remain relatively unchanged. Therefore, understanding how cybercriminals target applications helps to defend against brutal cyberattacks.
External applications are more natural targets for APIs, credential stuffing, and DDoS attacks, whereas internal applications remain a focus for ransomware, IP attacks and malware. Regardless of where they sit, companies need to accept the notion of ‘privacy by design’, ensuring applications, operating systems, and browser software is safeguarded against the latest threats.
If companies are to make wise investments, they should minimise the focus on anything that needs manual intervention or tuning. Products that self-adapt and auto-learn are key to reducing the manpower involved in managing security infrastructure.
Encouragingly, F5’s SOAD 2018 report found 53% of organisations are using automation partially or fully in production. By embracing such solutions, companies not only ensure there is no shortfall when people move into new positions or onto new companies, but that they meet compliance standards. With the GDPR mandating breaches must be reported in a timely manner, advanced technology is best placed to analyse systems and support speed of response to attacks.
- Collaborate across the enterprise
From the executive boardroom to the shop floor, the culture of security must be of paramount importance to an organisation. Executives must engage more with CISOs, architects, and security experts, whilst all employees should regularly engage with security training and adopt the latest best practice disciplines. Investment in the latest front-end digital platforms should always involve security teams from the onset and, where necessary, include independent expertise and consultation to ensure the strategy delivers the optimum security posture.
With the drive towards automation and digitisation providing a more seamless experience for customers, businesses must align evolution with compliance. In fact, organisations now need to have a data protection officer (DPO) to be responsible for data privacy matters. Collaboration with legal, sales, marketing, and operational functions is essential to ensure that breach procedures and notification timelines are in place.
In summary
Businesses must understand that cybercriminal networks are highly organised, well-funded and resourceful. Hackers will continue to develop and deploy sophisticated attacks using AI and malicious bots to circumvent security defences.
If companies are to successfully defend their applications and customer data, they must take a proactive approach. Authenticate staff and customers thoroughly, automate processes to minimise risk, and improve compliance through effective communications and collaboration with staff about best security practices to fully protect all areas of business.
[su_box title=”About Keiron Shepherd” style=”noise” box_color=”#336588″][short_info id=’105257′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.