Five Security Layers Needed to Safeguard Online Interactions

The reality is that today’s digital environment encourages and rewards multi-pronged cyberattacks. Every company is a target when it comes to cyberattacks―regardless of size, revenue or industry. Fraudsters are migrating from the bigger entities that are harder to get into to prey on small- to mid-sized businesses that are more defenseless and more plentiful. It’s easier to get through two layers of security at a company that has five to 10 employees instead of a large corporate conglomerate with 20 layers of security. We saw this trend occur in the financial industry, where Bank of America, Citibank and Wells Fargo put multiple levels of security in place, shifting the fraud targets down to smaller regional and local banks and credit unions.

Web applications are especially vulnerable—from payment systems and shared documents to webmail platforms and dynamic websites—to a variety of cyberattack vectors. Research shows that in 2018 more than half of web application vulnerabilities had a public exploit available to hackers to launch devastating attacks. Other reports indicate more than 46 percent of websites have high cyber-security vulnerabilities. In many instances, the online channel provides the perfect inroad to penetrate deeper into corporate information systems. Three-quarters of network penetration vectors resulted from poor security protections for web resources, according to a 2019 report.

Multiple Levels of Protection Work to Form a United Front

Having a layered security strategy is an important response to today’s cyber-threat landscape where strategies and specific attack vectors used by cybercriminals are constantly evolving. Layered security takes a holistic view of cyber defense, accounting for the multitude of ways attacks can occur and recognizing the importance of log-in to log-out protection. Only integrated defenses that work across multiple web applications and protocols have any chance of stopping these attacks.

It can be a challenge for the largest global corporate conglomerates and even governments to build and maintain multi-layered security defenses. For small- or midsized-businesses, it can seem like an almost impossible task that’s further impacted by lack of internal resources and budget allocations.

Security teams have to be prepared for every threat possibility. That’s a big ask of any IT team. They not only must continually update their cybersecurity defenses based on current attack trends―but they also must work to future proof their systems for new threats on the horizon. Ransomware attacks, cryptocurrency hijackings, and phishing expeditions may be the top focuses for cybercriminals today, but if they have demonstrated anything, it’s the ability to quickly move on to new threat tactics that exploit newfound vulnerabilities.

Unfortunately, there is no single technology that can ensure security across today’s digital enterprise. And, there is no silver bullet that guarantees 100-percent protection. However, IT teams can be more strategic and effective in defending against today’s threats by recognizing the essential layers of security they really need to secure their online channels.

Key Security Layers that Provide the Strongest Deterrence

A company’s website houses a plethora of business and customer information related to accounts, transactions, payments and interactions―and, if left unsecured, can provide easy access to corporate networks with even more sensitive company and employee data. Whether it’s a hacker looking to tinker with your applications and services “because he or she can,” an attacker holding your website hostage for a ransom, or a cyber thief stealing data to sell on the Dark Web, the damages can be considerable. The average cost of cybercrime for an organization is estimated to be $13 million per year.

The following are the five essential layers of security your company should use to provide the strongest deterrence to cyberattacks coming in through the online channel. 

Layer One: Web Application Firewall

A web application firewall (WAF) filters, monitors and blocks traffic to and from your site. It also enforces rules on how visitors can interact with your website. WAF is considered a countermeasure because it is deployed to identify threats and then block them. WAFs normally protect against Open Web Applications Security Project (OWASP) threats, including cross-site scripting, the installation of malicious scripts into a website, and SQL injections whereby attackers inject code into SQL statements via web page input in order to read, modify or destroy sensitive databases. WAFs tend to be enterprise-grade, and if your company or website doesn’t qualify for or meet certain requirements, the protection may be bigger than you need or more complex to deploy. However, there are cloud-based WAF solutions that allow for more custom security rules that fit the needs of small- to mid-sized businesses.

Layer Two: Access Control

The access-control security level safeguards a website’s data, both on the front and back ends. It dictates access to web resources through the use of restrictions―including what users can do once granted access, to the specific information they can retrieve, to the types of functions they can perform on any data. Since one of the first things a cybercriminal can easily do once inside your website is to install backdoor access for remote sessions in the future, access-control security is capable of identifying these access points and their locations so they can be blocked, rendered inoperable and removed.

Layer Three: Bot Protection

Bots can be valuable tools for companies looking to improve their search-engine rankings and increase their sites’ visibility. However, there are also malicious varieties that can negatively impact web services. In 2018, one in five website requests was generated by bad bots alone. Bot protection is essential to defending your web applications from the “bad bots” which can be involved with denial-of-service (DoS) attacks, stealing data, publishing fake content or reviews as well as skewing advertising and visitor analytics. Premium bot protection should have the capability to distinguish between good bots, bad bots and suspicious bots, including options to block or challenge them with CAPTCHA, for example.

Layer Four: Login

Compromised login credentials represent big business for cyber thieves, as millions of usernames and passwords are increasingly stolen and sold through the Dark Web each year. Passwords, regardless of how complex, are no longer enough to protect access to a company’s online channel. The susceptibility of passwords is a recurring theme in breach after breach. However, more and more companies have turned to multifactor authentication (MFA) to provide a necessary level of secure access based on multiple data parameters and other factors derived from end users’ login attempts.

Unfortunately, less technically advanced versions of MFA often disrupt the end-user experience. Companies that have tired of making convenience trade-offs for good security are using  Single Sign-On (SSO) technology to give them a convenient and secure means to thwart cyber criminals. It allows enterprises to more easily and securely manage access to sensitive data while giving users a simplified way to manage logins with one click, and only one set of credentials.

Layer Five: Behavioral Monitoring and Analytics

True protection comes in the form of solutions that can help security professionals proactively recognize potential threats―before they happen. Companies that add behavioral monitoring and analytics to their online security programs have gained new-found insights into suspicious behaviors that serve as warnings of potential cyber threats. 

In order to truly address the full fraud lifecycle, companies can use behavioral monitoring and analytics to monitor every user interaction and transaction to uncover suspect behaviors while engaged with their online channel. Behavioral analysis takes security to another level by examining activities and behaviors so that even if someone is able to compromise a user’s identity, the hacker still has to be able to act like the user, which is when the alarms should start to sound. 

Better Position Your Company to Quickly Respond to Future Cyber Threats

Companies can cost effectively build reliable online security by taking a layered approach that utilizes these five essential technologies: WAF, access control, bot protection, MFA (combined with SSO) and behavioral monitoring and analytics. Combined with other tactics such as educating and training employees, conducting process audits and deploying modern protocols, these technologies can form the foundation for strong online security that will help enhance visibility into potential threats, reduce response times and diminish the impact of cyberattacks. Credential verification and authentication needs to be a rigorous part of any company’s security routine. By understanding how users access and interact with an online channel, companies around the world can develop a model of understanding to be better positioned to more quickly respond to potential cyber threats when unusual activities occur.