In today's digital age, where data holds almost as much value as currency, it's alarming, but not surprising to see the vulnerabilities in internet-exposed applications. Web apps that house personally identifiable information (PII) are prime targets for cybercriminals, given the potential payoffs. These web apps, such as online banking portals where users can check their account balances, transfer money, and manage personal financial information, collect, store, or process the PII of users.

CyCognito's recent survey revealed that a staggering 74% of the web apps they studied had PII that was vulnerable to at least one known major exploit. Names like Papercut and MOVEit, among others, echo in the hallways of cybersecurity departments, signifying a widespread security crisis, potentially putting millions of users personal data at risk.

Internet-exposed apps are inherently riskier than those nested within internal networks. They are accessible from anywhere in the world, making them ripe targets for potential attackers. Vulnerabilities like SQL injections, cross-site scripting (XSS), and cross-site request forgery (CSRF) can expose PII to unauthorized individuals. While there are patches available for many of these vulnerabilities, the real challenge lies in timely application.

Patching: A simple, yet complicated solution

While it might seem straightforward to simply patch these vulnerabilities, it's more complex in reality. Security teams find patching challenging for various reasons:

  • Legacy systems: Older systems might not support newer patches or become unstable post-patching.
  • Operational downtime: Applying patches can require teams to take systems offline for some time, something that’s not always feasible for critical systems.
  • Compatibility issues: Patches can conflict with other software or custom-built applications, leading to unforeseen issues.

Patching becomes particularly challenging when organizations are inundated with a high volume of vulnerabilities, making it difficult to prioritize which ones to address first. Moreover, a general lack of understanding about the severity of these vulnerabilities, compounded by the unique structure and specific needs of each organization, can lead to critical threats being inadvertently overlooked or inadequately addressed.

Nevertheless, many in the industry are aware of these vulnerabilities. High-profile data breaches are often splashed across headlines, ensuring that the risks of PII exposure remain in the spotlight. Yet, the recurring nature of such breaches suggests a systemic issue in how organizations approach patching and security.

Consumer trust: The silent casualty

Beyond the immediate financial implications of a breach, there's an intangible, but invaluable loss: consumer trust. In an era where data privacy presents a significant concern, customers expect organizations to treat their personal data with the utmost care. 

Loss of consumer trust can have long-lasting repercussions, often more damaging than immediate financial losses. Once trust has eroded, it’s a monumental task to rebuild it. Take the Yahoo example. In 2016, it was revealed that Yahoo had suffered a series of breaches between 2013 and 2014 affecting around 3 billion user accounts. This massive breach, coupled with perceived delays in disclosure and handling, significantly impacted Yahoo’s reputation. The fallout was not only evident in the immediate backlash, but also had financial implications: news of the breach shaved off a significant amount from Yahoo's sale price in its acquisition deal with Verizon. Even years later, Yahoo's breaches serve as a cautionary tale, underscoring the profound and enduring impact of lost consumer trust following data security lapses.

To safeguard against these vulnerabilities, organizations must adopt a multi-faceted approach:

  • Vulnerability management: This includes regular scans and timely patching, ensuring vulnerabilities are identified and addressed promptly.
  • Robust authentication: MFA adds an extra layer of security, making unauthorized access considerably harder.
  • Data protection: Encryption of PII, both during transit and storage, ensures that even if data falls into the wrong hands, it remains unintelligible.
  • Access control: Adopting the least privileged principle ensures minimal data exposure, even if there’s a breach.
  • Continuous education: Employees often serve as the first line of defense. Regular training ensures they can spot and counteract potential threats.
  • Preparedness: Having an incident response plan ensures swift action during a breach, potentially limiting damage.
  • Network design: Segmented networks contain breaches, preventing widespread data exposure.
  • External insights: Third-party assessments can offer fresh perspectives on potential vulnerabilities.
  • Data recovery: Regular backups are crucial to restore operations post-breach.
  • Threat intelligence integration: By actively integrating and leveraging threat intelligence, organizations gain insights into emerging vulnerabilities, adversarial tactics, and real-time threat landscapes, enabling them to proactively adapt and fortify their defenses against new and evolving cyber threats.

Consider CyCognito’s research as a clarion call. Web applications must prioritize the privacy and protection of consumer data. Unfortunately, the financial implications of breaches are just the tip of the iceberg. Eroding consumer trust can have long-lasting impacts on a brand's reputation. Every organization dealing with PII must not only have robust cybersecurity measures, but also keep a vigilant eye on emerging threats and adjust their defense strategies accordingly.

Callie Guenther, cyber threat research senior manager, Critical Start