More than Compliance: Turn Web Scanning into a Strategic Business Asset
- Published
- Sep 8, 2023
- By
- Leonard Melnik
- Topics
- Share
Introduction
Web scanning is a process that can access the status of a publicly or privately accessible website (as well as some internal sites). It can search for vulnerabilities in software or configuration, and the results can indicate whether the site is compliant with certain standards, such as GDPR, CCPA, COPPA or ADA.
A vulnerability is a weakness in a system, something that can be used to compromise the system. This could range from being able to change some text to having full control over the underlying server and access to all the confidential and private information stored on the backend. Vulnerabilities generally occur in one of two scenarios: either the software or service being used has flaws and has not been updated to a secure version (a secure version may not be available yet), or it has not been set up properly. Both can have devastating consequences.
Compliance issues play closely with vulnerabilities. Noncompliance means something is not being done in a proper manner. This could mean that unnecessary data is being collected, or it is being done in a method that is not optimal. Noncompliance can allow vulnerabilities to exponentially increase the damage caused. For example, a travel company might collect passport data when it does not need to. Even though this does not cause any direct harm, if there were a breach, the attackers would now have access to the passport information, data that did not need to be in the system in the first place. And since the best security is preventative, compliance is the first step.
A hacked company isn’t at fault, but noncompliance makes them responsible. Not only are compliant systems simpler (less data being stored) but they also prevent legal issues if discovered.
The Harms of Vulnerabilities and Compliance
A vulnerability or compliance issue being exploited is one thing, but where can this lead and what harm can it cause a business? The first and most obvious harm is downtime and lost opportunity. A vulnerability on a website can allow attackers to deface or shut it down entirely. This cost will depend on the business, but typically will take down the influx of new leads and clients. If the website also functions to assist current customers, they will not be able to get the service they need, which is an additional opportunity cost. In 2023, this cost averaged around $1.3 million per breach.
The other, more dangerous result is a data breach. According to IBM’s 2023 Cost of a Data Breach Report, the average cost of a data breach is $4.45 million. This is a 2.3% increase from 2022 and a 15.3% increase from 2020, showing a clear trend of costs associated with data breaches rising.
Compliance plays a big part in what data was accessed. According to the same report, Customer PII (personally identifiable information) was the costliest and most compromised. And the third biggest cost amplifier was noncompliance with regulations, not including the fines that follow a breach or successful attack.
There is a common misconception that small businesses are not targets of attacks. In actuality, data breaches in small companies had a cost increase of 13.4% to 21.4%, while larger companies decreased by a minimum of 1.8%.
Dual Role
Web scanning does not just prevent data loss, lawsuits and compliance changes; it also serves as a method to boost the bottom line.
Proactive threat hunting and offensive security testing combined save a company on average almost $200,000 (in the cases where they did not prevent the breach). And the first recommendation is to build with security in mind and to utilize ongoing application testing.
Some companies can gain more trust from their customers, as well as expand to new markets of security conscious consumers by demonstrating their commitment to data protection and customer privacy. Not only can this help their brand, but it also reduces the chances of an incident, which can result in significant reputational damage.
Conclusion
Breaches and incidents are inevitable. The best course of action is to minimize the harm, downtime and lost opportunities. One of the best methods of doing so is to perform ongoing scanning and testing, as well as following industry standard regulations and compliance. One can make a difference; both can make a change.
Contact EisnerAmper
If you have any questions, we'd like to hear from you.
Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.