Key findings from the Global Data at Risk - 2020 State of the Web Report highlight the scale of vulnerability and that the majority of global brands fail to deploy adequate security controls to guard against client-side attacks:
- Despite increasing numbers of high-profile breaches, forms found on 92 percent of websites expose data to an average of 17 domains. This is PII, credentials, card transactions, and medical records. While most users would reasonably expect this data to be accessible to the website owner’s servers and perhaps a payment clearing house, Tala’s analysis shows that this data is exposed to nearly 10X more domains than intended. Nearly one third of websites studied expose data to more than 20 domains. This provides some insight into how and why attacks like Magecart, formjacking and card skimming continue largely unabated.
Unfortunately, despite high-profile risks and the availability of controls, there has been no significant increase in the adoption of security capable of preventing client-side attacks:
- Over 99 percent of websites are at risk from trusted, whitelisted domains like Google Analytics. These can be leveraged to exfiltrate data, underscoring the need for continuous PII leakage monitoring and prevention. This has significant implications for data privacy, and by extension, GDPR and CCPA.
- 30 percent of the websites analyzed had implemented security policies - an encouraging 10 percent increase over 2019. However...
- Only 1.1 percent of websites were found to have effective security in place - an 11 percent decline from 2019. It indicates that while deployment volume went up, effectiveness declined more steeply. The attackers have the upper hand largely because we are not playing effective defense.
Download the Global Data at Risk - 2020 State of the Web Report here.