Bot-driven web traffic and its application security impact

New research conducted by the Ponemon Institute, which focused on such highly targeted industries as retail, healthcare and financial services, exposes the proliferation of bot-driven web traffic and its impact on organizations’ application security.

Bots conduct 52% of all Internet traffic flow. For some organizations, bots represent more than 75% of their total traffic. This is a significant finding considering one-in-three organizations cannot distinguish between ‘good’ bots and ‘bad’ ones.

The report also found that 45% of respondents had experienced a data breach in the last year, and 68% are not confident they can keep corporate information safe. What’s more, companies often leave sensitive data under-protected. In fact, 52% do not inspect the traffic that they transfer to-and-from APIs, and 56% do not have the ability to track data once it leaves the company.

Any organization that collects information on European citizens will soon be required to meet the strict data privacy laws imposed by General Data Protection Regulations (GDPR). These regulations take effect in May 2018. However, with less than seven months until the due date, 68% of organizations are not confident they will be ready to meet these requirements in time.

“It’s alarming that executives at organizations with sensitive data from millions of consumers collectively don’t feel confident in their security,” said Carl Herberger, Vice President of Security Solutions at Radware. “They know the risks, but blind spots continue to pose a threat. Until companies get a handle on where their vulnerabilities are and take steps to protect them, major attacks and data breaches will continue to make headlines.”

Key survey findings include:

Application security is an afterthought

Everyone wants the full automation and agility that the continuous delivery model of app development provides. Half (49%) of the respondents currently use the continuous delivery of application services and another 21% plan to adopt it within the next 12-24 months. However, continuous delivery can compound the security challenges of app development: 62% reckon it increases the attack surface and approximately half say that they do not integrate security into their continuous delivery process.

Bots are taking over

Bots are the backbone of online retail today. Retailers use bots for price aggregation sites, electronic couponing, chatbots, and more. In fact, 41% of retailers reported that more than 75% of their traffic comes from bots, yet 40% still cannot distinguish between “good” and “bad” bots.

Malicious bots are a real risk. Web scraping attacks plague retailers by stealing intellectual property, undercutting prices, holding mass inventory in limbo, and buying out inventory to resell goods through unauthorized channels at markup. But bots are not the exclusive problem of retailers. In healthcare, where 42% of traffic is from bots, only 20% of IT security execs were certain they could identify the “bad” ones.

API security is often overlooked

Some 60% of organizations both share and consume data via APIs, including personally identifiable information, usernames/passwords, payment details, medical records, etc. Yet 52% don’t inspect the data that is being transferred back and forth via their APIs, and 51% don’t perform any security audits or analyze API vulnerabilities prior to integration.

Holidays are high risk for retailers

Retailers face two distinct but highly damaging threats during the holidays: outages and data breaches. Web outages during the holiday season, when retailers make most of their profits, could have disastrous financial consequences. Yet more than half (53%) are not confident in their ability to provide 100% uptime of their application services. High-demand periods like Black Friday and Cyber Monday also spell trouble for customer data: 30% of retailers suggest they lack the ability to secure sensitive data during these periods.

Patient healthcare data is at risk

Just 27% of healthcare respondents have confidence they could safeguard patients’ medical records, even though nearly 80% are required to comply with government regulations. Patching systems is critical to an organization’s security and its ability to mitigate today’s leading threats, but some 62% of healthcare respondents have little or no confidence in their organization’s ability to rapidly adopt security patches and updates without compromising operations.

More than half (55%) of healthcare organizations said they had no way to track data shared with a third party after it left the corporate network. Healthcare organizations are particularly unlikely to monitor the dark net for stolen data, with 37% saying they did so, compared to 56% in financial services, and 48% in retail.

Multiple touchpoints equal higher risk

The rise of new financial technology (like mobile payments) has increased the access and volume of engagement with consumers, which, in turn, increases the number of access points with vulnerabilities and expands the risk security executives face. While 72% of financial services organizations share usernames and passwords and 58% share payment details via APIs, 51% do not encrypt that traffic, potentially exposing valuable customer data in transit.