Statistics
Since many organizations do not monitor online activity at the web application level, hackers have free reign and even with the tiniest of loop holes in a company’s web application code, any experienced hacker can break in using only a web browser and a dose of creativity and determination. It seems that most hack attacks are discovered months after the initial breach simply because attackers do not want and will not leave an audit trial. In web application attacks physical evidence (e.g., a missing database) is inexistent – hackers are interested in stealing the data and leaving it intact.
Recent research by a leading research firm shows that 75% of cyber attacks are done at web application level. As yet unpublished research at Acunetix seems to corroborate this finding. Competing web application security organizations record similar data.
The Privacy Clearing House reports more interesting findings including the fact that over 100 million records have been compromised since February 2005. However this figure excludes the TJX episode of around 40 million records. Out of a total of around 140 million approximately 80 million were due to hacking attacks. Having said this it is not known whether the TJX episode was a network or a web application breach.
The Cost of Being Hacked
The costs of hack attacks to any organization are extensive with possible financial burdens that may result in closure:
* Loss of customer confidence, trust and reputation with the consequent harm to brand equity and consequent effects on revenue and profitability;
* Possible loss of the ability to accept certain payment instruments e.g. VISA, Mastercard
* Negative impact on revenues and profits arising from any falsified transactions and from employee downtime;
* Website downtime which is in effect the closure of one of the most important sales channels for an e-business;
* The expenditure involved in repairing the damage done and building contingency plans for securing compromised websites and web applications; and,
* Legal battles and related implications from Web application attacks and lax security measures including fines and damages to be paid to victims.
The figure above shows the total losses as reported by the 2005 CSI/FBI Annual Computer Crime and Security Survey.
The total losses per category of breach (valid only for the US) is reported to be over $130 m for the 639 respondents willing and able to estimate their losses. The Survey authors also state that while explicit costs (such as costs of reinstalling software and reconfiguring computer systems) is more accurately accounted for by respondents, implicit costs (such as lost future sales due to negative media coverage following a breach) is more difficult to account for and are largely not represented in the loss numbers reported here.
Now does it sound apocalyptic? I believe there is serious need for all to worry.
