The global security threat outlook continues to evolve — the shift to the cloud, the push to mobile apps, and the adoption of IoT are opening up new attack vectors, causing an explosion of new security vulnerabilities. With major vulnerabilities being exposed, like Apache Struts which cost Equifax over $1.4 billion dollars, enterprises need to take a second look at their approaches to vulnerability management.
What doesn’t always hit the headlines are the breaches that never were — stories of companies who “hacked themselves first.” In its first iteration released today, the 2019 Priority One Report provides insight on how new offensive approaches like crowdsourced security can be the best defense to helping organizations prevent these types of security incidents.
So what did the data show?
Up and To the Right
As far as the numbers go, things continue to trend up and to the right for the average severity of issues and the incentives that are being used to attract those issues. Take the recent news of Google raising the bar on its bounty payouts.
According to the Priority One Report, security vulnerabilities and payouts to the Crowd nearly doubled year over year — a 93% increase in total vulnerabilities reported and an 83% increase in average payouts per vulnerability. Payouts for bug bounty programs also continue to rise, with critical vulnerabilities reaching nearly $2,700, an almost 30% increase over last year.
As more programs launch and hacker engagement increases, it’s bound that the reports will also continue to follow the upward trend. Ultimately, finding bugs is a good thing. The fact that the crowd is finding more critical bugs means that these high-severity issues are being identified and resolved sooner.
Breaking it Down by Industry
As the market continues to mature, more companies across industries are adopting crowdsourced security programs. Over the last year, Bugcrowd saw the largest increase in Financial Services. With firms falling victim to cybersecurity attacks 300X more frequently than businesses in other industries, and the cost of $18 million per cyberattack, this 71% increase in adoption suggests growing recognition for crowdsourced security.
Retail and Healthcare followed closely after, indicating a 50% and 44% increase in adoption, respectively. Healthcare has historically been slow to adopt new technologies due to the risk associated with changing how data is stored, transmitted, or processed. This is true even with security technology. However, the speed at which healthcare is adopting crowdsourced security is much faster than with other security solutions.
Given the sensitive nature of assets, the payouts for Healthcare rank amongst the highest — the average payout for critical vulnerabilities in was nearly $3,500 compared to the roughly $1,000 overall average payout. Interestingly, this is higher than the critical and average payouts across all programs run through Bugcrowd.
Crowdsourced security continues to uncover 10 times the security bugs than traditional security assessment methods. It’s a no brainer why traditionally highly-regulated and highly-targeted industries like Healthcare and Financial Services are turning to platforms like Bugcrowd to help protect their sensitive data.
In the first half of 2019, we saw a nearly 30% increase in the number of programs launched versus the same time in the year before, and a 50% increase in public programs launched. More companies are reaching security maturity and taking their programs public as a part of their corporate social responsibility on the internet.
Looking beyond awareness and adoption, next year it’s going to be about honing in on the specific skill sets of the whitehats — tracking their specialties and better pairing them with programs to uncover these critical priority ones.
Given shifting technology environments, more skills and education will be needed to combat new vulnerabilities with growing attack vectors. However, it doesn’t go without challenges since the cybersecurity skills shortage is growing at an alarming rate. Queue the whitehats to shift back the balance of power!
Download the full Priority One report here, and stay tuned for our next installment all about the most critical vulnerabilities.